Skip to main content

Overview

Air-gapped deployment is for environments with no internet connectivity. Enclave operates entirely within your isolated network. No call-home, no telemetry, no external dependencies.

Differences from on-premise

FeatureOn-PremiseAir-Gapped
Licence validationOnline (periodic)Offline (certificate-based)
Container imagesPull from registryTransferred via removable media
Updatesdocker compose pullManual transfer + load
TelemetryOptionalDisabled
External SMTPSupportedInternal SMTP relay required

Offline licence

Air-gapped deployments use an offline licence certificate tied to your hardware fingerprint:
  1. Generate a hardware fingerprint on your target server: 
    curl -s https://releases.quelden.com/enclave/fingerprint.sh | bash
# Outputs: enclave-fingerprint-abc123.json
    Transfer the fingerprint file to an internet-connected machine.
  2. Submit the fingerprint to Quelden — you receive a signed licence certificate (enclave-licence.crt).
  3. Transfer the certificate to your air-gapped environment and set: 
    ENCLAVE_LICENCE_CERT=/path/to/enclave-licence.crt
ENCLAVE_LICENCE_MODE=offline
Licence certificates are valid for 12 months. Renewal requires repeating the fingerprint process.

Transferring images

Container images are distributed as .tar archives via secure file transfer: 
# On internet-connected machine — download and export
docker pull registry.quelden.com/enclave:1.4.0
docker save registry.quelden.com/enclave:1.4.0 | gzip > enclave-1.4.0.tar.gz

# Transfer to air-gapped environment via approved media

# On air-gapped server — load
gunzip -c enclave-1.4.0.tar.gz | docker load

Internal SMTP

Email notifications (invitations, alerts) require an internal SMTP relay: 
SMTP_HOST=smtp.internal.yourorg
SMTP_PORT=587
If no SMTP is available, set EMAIL_DISABLED=true — all invitation links are generated and displayed in the admin console instead.

HSM requirement

Air-gapped deployments must use an on-premise HSM (HYOK). Cloud KMS is not available without internet access. Supported HSMs:
  • Thales Luna Network HSM
  • Entrust nShield Connect
  • Utimaco SecurityServer
See Key Management → On-premise HSM for KMIP configuration.

Support

Air-gapped environment support is handled via encrypted email or an approved secure channel. Contact security@quelden.com to establish a support arrangement before deployment.