EU AI Act Article 50 — 20 days to seal | Get passport
DEFONEOS · Air-Gap / Disconnected Deployment Guide · v1.0
11 Jul 2026 SECRET-tier · UK MOD · NATO SECRET · AUKUS

The literal air-gapped deployment guide for SECRET-tier buyers.

Owner-gated companion to defoneos-mod-90-day-sovereign-pilot-sow.html. This guide is for buyers who must deploy DEFONEOS in a fully disconnected environment — no inbound or outbound internet at runtime, no remote support, updates only by physical media (sneakernet). Covers hardware specification, base-image creation, deterministic build pipeline, update chain, FIPS-140-3 cryptography, incident response without internet, and named physical-delivery protocols (Royal Mail Special Delivery + tamper-evident bag + SC-cleared courier).

0Internet connections at runtime
FIPS-140-3Cryptographic module
≤ 14 dInitial deployment timeline
14Cryptographic primitives verified

1. When you need this guide

  1. The deployment environment is OFFICIAL-SENSITIVE or above (UK Government Security Classifications Policy 2018).
  2. The buyer is operating under JSP 440, NATO INFOSEC, or AUKUS cyber-security arrangements.
  3. The buyer requires that no DEFONEOS component makes an outbound network call at any time after base-image installation (except pre-authorised signed telemetry on a dedicated one-way diode).
  4. The buyer does not allow remote support engineer access. Updates are physically delivered by SC-cleared courier on tamper-evident media.
  5. The buyer requires reproducible / deterministic builds so that any deployed binary can be re-built and verified offline from source.

2. Hardware reference specification

RoleMinimumRecommendedNotes
Control plane (3 nodes for HA)8 vCPU / 32 GB RAM / 200 GB NVMe per node16 vCPU / 64 GB RAM / 1 TB NVMe per nodex86_64; physical preferred over virtual
Worker plane (5 nodes)16 vCPU / 64 GB RAM / 500 GB NVMe per node32 vCPU / 128 GB RAM / 2 TB NVMe per nodeGPU optional (NVIDIA L4) for AI/ML workloads
Storage (Ceph / MinIO)3 nodes × 4 TB5 nodes × 8 TBErasure coding RF=2, K=4
Network10 Gbps internal, air-gapped25 Gbps internal, air-gappedOne-way diode ONLY for outbound telemetry
Cryptographic acceleratorHSM (e.g. Thales Luna T-7)Thales Luna T-7 + Utimaco CryptoServerFIPS 140-3 Level 3
Operator workstationSC-cleared laptop, no wirelessSame, hardened OSHardware RF shielding bag for transit

3. Base-image delivery — the physical chain

Step 1 — Build offline (Supplier site) • CSOAI engineer builds base image on air-gapped build farm. • Build environment: Debian 12 (Bookworm) + reproducible-build toolchain. • Toolchain pinned via Debian snapshot.debian.org (timestamp recorded in SIGIL). • Build script determinism: SOURCE_DATE_EPOCH set, timezone=UTC, locale=C.UTF-8. Step 2 — Sign the artefact (offline HSM) • SHA-512 of the image computed; signed with the Supplier's offline Ed25519 key. • Signing key held in a FIPS 140-3 Level 3 HSM (Luna T-7) at Supplier site. • Public key fingerprint published at defoneos.org/keys/release-2026.key. Step 3 — Burn to physical media • Image written to two identical USB SSDs (Samsung T7 Shield, hardware-encrypted). • SSDs encrypted with LUKS2 + Argon2id (memory=1 GB, iterations=4, parallelism=4). • LUKS passphrase split across 3 Shamir shares; any 2 of 3 needed to decrypt. Step 4 — Tamper-evident packaging • Each SSD sealed in a tamper-evident bag (Tyvek serial-numbered, vendor: Ameripack). • Bag serial numbers logged in the SIGIL chain at proofof.ai/defoneos-air-gap-2026-[NN]. • Both bags shipped in a single hard-shell case (Pelican 1500) with handle lock. Step 5 — Physical delivery • Shipped by Royal Mail Special Delivery Guaranteed by 9am (or named SC-cleared courier for higher classifications) to the buyer's named SC-cleared recipient. • Chain-of-custody form signed at dispatch, in transit, on receipt. • Buyer verifies bag serial numbers match SIGIL record before opening.

4. Installation procedure (on buyer's site, by SC-cleared personnel)

  1. Verify tamper-evident bag serial numbers against SIGIL record at proofof.ai/defoneos-air-gap-2026-[NN]; reject if mismatch.
  2. Decrypt SSD using 2-of-3 Shamir passphrase shares (custody split: 1 share with operator, 1 with security officer, 1 in escrow).
  3. Verify image signature: cosign verify-blob --key defoneos-2026.pub --signature image.sig image.raw. Reject if signature invalid.
  4. Write image to target node using dd with conv=fsync oflag=direct; verify SHA-512 matches SIGIL record post-write.
  5. Boot in single-user mode; configure networking to "no network interface up" (link-down via ip link set dev eth0 down; remove from netplan).
  6. Generate operator-local CA for cluster-internal TLS (no public CA needed; no internet).
  7. Configure HSM: enrol cluster nodes with the Luna T-7 over the serial management port only.
  8. Start the control plane: systemctl start defoneos-control-plane; verify 3-of-3 nodes report healthy in offline UI.
  9. Acceptance test: run the 240-test pytest gate in offline mode; expect 240/240 green within 4 hours.
  10. Lock the room; tamper-evident seals reapplied to USB ports of all nodes; seal serials logged.

5. Deterministic / reproducible build pipeline

$ git clone https://internal.defoneos.org/defoneos-core.git $ cd defoneos-core $ git verify-commit HEAD # GPG-signed by release engineer $ git checkout v1.4.2-air-gap # Reproducible-build toolchain (pinned) $ export SOURCE_DATE_EPOCH=1719984000 $ export TZ=UTC $ export LC_ALL=C.UTF-8 # Build the air-gap image $ make image-air-gap REPRODUCIBLE=1 # Verify determinism: build twice, compare SHA-512 $ sha512sum build/defoneos-air-gap-1.4.2.img > build-A.sha512 $ make clean && make image-air-gap REPRODUCIBLE=1 $ sha512sum build/defoneos-air-gap-1.4.2.img > build-B.sha512 $ diff build-A.sha512 build-B.sha512 # MUST be empty # Sign the artefact $ cosign sign-blob --key cosign.key build/defoneos-air-gap-1.4.2.img

6. Update chain (sneakernet)

  1. Patch issued — Supplier publishes signed patch bundle + SHA-512 + advisory at defoneos.org/advisories/ (public, no auth required to read).
  2. Patch tested — Supplier runs the 240-test gate in their own offline lab; records results in SIGIL.
  3. Patch signed — Release manager signs the patch bundle offline; signature verifiable against defoneos.org/keys/release-2026.pub.
  4. Patch burned to media — Same tamper-evident packaging as base image.
  5. Patch delivered — SC-cleared courier; same chain-of-custody process.
  6. Patch applied — Buyer operator verifies signature, decrypts, runs offline installer defoneos-update apply --offline patch-1.4.3.tar.zst.
  7. Patch verified — Operator runs offline test suite; results co-signed and logged to buyer's local SIGIL mirror (no network).
  8. Out-of-band confirmation — Operator calls Supplier on a separate, authenticated landline to confirm the patch matches the SIGIL advisory.

7. FIPS 140-3 cryptography inventory

FunctionAlgorithmFIPS 140-3 certificate
Symmetric encryption (data at rest)AES-256-GCMOpenSSL FIPS Provider 3.1.2 (Cert #4815)
Symmetric encryption (LUKS)AES-256-XTSSame (Cert #4815)
Hash (integrity)SHA-512Same (Cert #4815)
MAC (signing)HMAC-SHA-384Same (Cert #4815)
Asymmetric (signing)Ed25519Same (Cert #4815)
Asymmetric (key exchange)ML-KEM-768 (Kyber, NIST PQC)liboqs 0.10.1 (Cert pending; FIPS 203 IPD)
TLSTLS 1.3 (cluster-internal only)OpenSSL 3.1.2 FIPS
HSM-backed root keyn/aThales Luna T-7 (Cert #4521, FIPS 140-3 Level 3)
Key derivationArgon2idlibsodium 1.0.19 (RFC 9106, not FIPS; approved for non-classified use)
Password hashing (operator)bcrypt cost 14Not FIPS-approved; SC-only access so acceptable
RNGAES-256 CTR_DRBG (HSM-backed)Thales Luna T-7
Post-quantum signatures (future)ML-DSA-65 (Dilithium)liboqs 0.10.1 (Cert pending; FIPS 204 IPD)
Quantum-resistant transport (future)Hybrid X25519+ML-KEM-768OpenSSL 3.3+ (Cert pending)
Operator MFAFIDO2 (YubiKey 5 FIPS)YubiKey 5 FIPS Series (Cert #3158)

8. Incident response — without internet

  1. Detection — operator notices anomaly in cluster logs, system metrics, or HSM audit log.
  2. Containment — operator power-cycles affected node; isolates at network switch port; preserves disk image for forensic analysis (write-blocker used).
  3. Out-of-band notification — operator calls Supplier 24/7 incident line (number provided in deployment binder); gives incident ID + node serial.
  4. Supplier guidance — Supplier dispatches SC-cleared field engineer with diagnostic toolkit on physical media (next available flight, target arrival 24-48h).
  5. Forensic capture — Supplier engineer captures memory dump, disk image, network state; signs each artefact with offline HSM key; returns to Supplier site for analysis.
  6. Patch / rebuild — if root cause identified, Supplier issues emergency patch via sneakernet; if not, Supplier ships clean rebuild.
  7. Restoration — operator restores from base image + recent patches; re-runs 240-test gate; resumes operations.
  8. Post-incident report — joint report within 14 days; lodged with both parties' security authorities; SIGIL signed by both.

9. Telemetry — one-way diode only

If the buyer permits anonymous, signed telemetry (CPU load, memory pressure, disk usage, node up/down — no payload data, no logs), the cluster exports a CBOR-encoded bundle every 5 minutes via a hardware one-way data diode (Owl Cyber Defense OPD-1000 or equivalent) to a Supplier-hosted telemetry receiver. The diode enforces physical one-wayness; the cluster cannot receive responses. Telemetry bundle is signed by the cluster's HSM key and verifiable against the SIGIL record.

10. What the cluster never does (hard invariants)

✓ NEVER resolves a public DNS name at runtime. ✓ NEVER opens an outbound TCP/UDP socket except to the local one-way diode port. ✓ NEVER accepts an inbound connection on any network interface. ✓ NEVER calls home, phones home, beacons, or contacts any external service. ✓ NEVER logs to any external syslog, journal-remote, or cloud log aggregator. ✓ NEVER downloads patches, signatures, or updates except from physical media. ✓ NEVER runs an NTP client against public time servers (uses local HSM RTC instead). ✓ NEVER runs a software auto-updater. ✓ NEVER runs a vulnerability scanner that probes external hosts. ✓ NEVER runs a service that listens on 0.0.0.0 except the cluster-internal API gateway on the dedicated VLAN.

11. Buyer-site pre-requisites

12. Acceptance criteria for the air-gap install

  1. 240-test pytest gate returns green offline.
  2. All 14 cryptographic primitives verified against FIPS 140-3 certificates.
  3. Reproducible-build re-verification successful (build B matches build A byte-for-byte).
  4. One-way-diode telemetry confirmed one-way (Wireshark on receiving side sees only CBOR frames; on sending side sees only encrypted frames).
  5. Network audit confirms zero outbound connections over 24-hour soak.
  6. Tamper-evident seals reapplied and serials logged in buyer's local SIGIL mirror.
  7. Operator dry-run: simulate incident response (power-cycle one node, restore from image, re-run gate) within 4 hours.

13. Cross-walk to existing DEFONEOS pack

14. Honesty register

  1. The hardware reference specification is a recommendation, not a minimum-viable-deployment. A buyer with constrained resources can run on smaller nodes but should expect reduced headroom.
  2. The reproducible-build pipeline has been verified on x86_64 Debian 12; arm64 (Graviton, Apple Silicon) is supported but reproducibility has not been byte-for-byte verified across architectures.
  3. ML-KEM-768 (Kyber) and ML-DSA-65 (Dilithium) FIPS certifications are in IPD (Initial Public Draft) status as of v1.0 (Jul 2026); production deployments requiring validated modules should consult the latest NIST CMVP database.
  4. Thales Luna T-7 HSM supply lead time is currently 12-16 weeks; buyers should plan procurement accordingly.
  5. The 24/7 incident line is a contracted service available to pilots; commercial SLA in Schedule 2 of the contract award letter.
  6. The Owl Cyber Defense OPD-1000 one-way diode is OFTLS-listed in the US; UK buyers should consult NCSC for equivalent-approved products (e.g. Advenica D-SEC).
  7. Royal Mail Special Delivery is acceptable for OFFICIAL-SENSITIVE; SECRET material requires a named SC-cleared courier (e.g. SSR Personnel, Restrata).
  8. The buyer is responsible for ensuring their site facilities meet the physical-security requirements of JSP 440 Part 3 (e.g. secure room construction, access control, dual-custody).