Air-Gapped AI: Packaging, SBOMs, and QR-Verified Manifests for the Field

By Gwylym Owen — 12–16 min read

Imagine you’re a field engineer, boots on the ground in a remote factory, no Wi-Fi in sight, tasked with deploying an AI model to spot defects on a production line. The stakes are high—downtime costs thousands, and security can’t risk a hack. That’s where air-gapped AI comes in, and at Auspexi, we’ve cracked the code with our Aethergen Platform. I’m Gwylym Owen, your guide through this offline AI adventure, where we package models, secure them with Software Bill of Materials (SBOMs), and verify installs with QR codes—all without a network connection. Buckle up for a journey that’s as secure as a locked treasure chest and as practical as a toolbox in the field! Thanks to recent enhancements, AethergenPlatform now fully supports every feature described here—delivered in real-time collaboration with our team!

Threat Model and Requirements

Let’s start with the battlefield. Air-gapped AI means no live network—updates roll in on removable media like a USB, and verification happens right there, no calling home to the cloud. Field engineers need provenance—proof of what’s installed, stamped and sealed, so they can trust it without a phone line. And change-control? Every binary tweak or policy shift must be traceable and reversible, like a well-kept logbook on a ship. This setup protects against cyber threats and meets strict compliance needs, ensuring your AI runs clean and mean, even in the wildest locations.

• No live network: Updates arrive via removable media; verification must be local.
• Provenance: Field engineers need to prove what’s installed without calling home.
• Change-control: Every binary and policy change must be traceable and reversible.

Package Anatomy

So, what’s inside this air-gapped package? Think of it as a survival kit for your AI. First, we include an SBOM (Software Bill of Materials)—a detailed inventory of binaries and models, formatted to work with vendor tools like CycloneDX or SPDX, so you know every component’s origin. Next, a signed manifest lists files, SHA-256 checksums, versions, and build metadata, like a manifest on a cargo ship ensuring nothing’s missing. Then, policy packs—thresholds, geofences, logging modes—come with versioned diffs to track changes. Finally, device profiles (VRAM, thermal limits, power constraints) prevent overload, tailoring the AI to your hardware. It’s a complete toolkit, built for the field—and now fully implemented in AethergenPlatform!

• SBOM for binaries and models (format compatible with vendor tools).
• Signed manifest listing files, SHA-256 checksums, versions, and build metadata.
• Policy packs (thresholds, geofences, logging modes) with versioned diffs.
• Device profiles (VRAM, thermal envelope, power constraints) to avoid overload.

QR-Verified Manifests

Here’s where it gets cool. We embed a QR-encoded manifest hash in every package—think of it as a digital fingerprint. A field engineer or kiosk scans it with a handheld device, comparing the hash to the local manifest and printed release notes. If they match, the install’s verified, no internet needed. It’s like a secret handshake in the offline world, giving you confidence that the AI package is legit, whether you’re in a dusty warehouse or a high-security bunker. AethergenPlatform now generates these QR codes seamlessly, a feature rolled out just this week!

Key Management (Offline)

Security’s the backbone, and we keep it offline-tough. We use an offline root key with rotating signing keys, plus short-lived field keys for emergency hotfixes—think of it as a vault with timed access codes. Revocation lists ship with each release, cached by kiosks to block compromised keys. And dual-control? Two trusted folks must sign off to promote to production media, adding a human layer of protection. It’s a fortress of trust, built for the air-gapped life—and now a live capability in your platform!

• Offline root and rotating signing keys; short-lived field keys for emergency hotfixes.
• Revocation lists distributed with each release; kiosks cache recent lists.
• Dual-control for promotion to production media.

Installation and Audit Procedure

Let’s walk through the install like a field mission. First, scan the media to generate and display the manifest hash—your first checkpoint. Compare it to the QR or printed hash from the release notes; if it’s a match, you’re good to go. Install the package, let the device verify signatures and checksums, and snapshot the previous state for safety. Finally, run post-install self-tests, logging results with signatures—proof you’re running a healthy system. It’s a step-by-step dance, ensuring every move is secure, now powered by AethergenPlatform’s new tools!

1. Scan media to generate and display the manifest hash.
2. Compare against printed/QR hash from release notes.
3. Install; device verifies signatures and checksums; snapshot previous state.
4. Run post-install self-tests; log results with signatures.

Evidence Bundle

Every package carries a signed evidence bundle—lineage (where it came from), metrics (how it performs), ablations (what works), and privacy probes (if applicable). Procurement and security file this with the install manifest, creating a full provenance trail. With AethergenPlatform, asking “What’s running out there?” becomes a button press—no connectivity, no excuses—just verifiable state you can trust. This feature is now live, thanks to our recent implementation push!

AethergenPlatform turns “What’s running out there?” into a button press. No connectivity, no excuses—just verifiable state.

Packaging Formats

We’ve got options to suit your field needs. The core is a signed tarball with the manifest and SBOM, a neat all-in-one package. For flexibility, we offer split packages—separate bundles for models, policies, and tools. And for kiosks, USB images come pre-loaded with pre-flight checks, ready to roll. It’s like choosing the right tool from your belt, tailored to the job—and now fully supported by AethergenPlatform!

• Signed tarball with manifest and SBOM.
• Optional split packages for models, policies, and tools.
• Kiosk USB images with pre-flight checks.

Field SOP

Here’s the field playbook, straight from the trenches:

1. Verify media integrity with a hash scan—your first line of defense.
2. Snapshot current system and store a rollback image—safety net engaged.
3. Install and run self-tests, printing a pass/fail ticket to close the loop.

Tamper Evidence

We leave no room for foul play. Checksums at file and package levels catch any tampering. The QR hash on release notes, double-checked by the kiosk, seals the deal. And a local audit log with signed digests tracks every move—proof you can audit offline. All these are now live features in AethergenPlatform!

• Checksums at file and package levels.
• QR hash on release notes; kiosk display comparison.
• Local audit log with signed digests.

Supply Chain

Transparency is key. The SBOM includes license metadata and a vulnerability scan report, laying it all out. Third-party attestations join the evidence bundle, and periodic key rotation with revocation lists keeps security tight. It’s a supply chain you can trace like a master detective—and it’s now a reality with AethergenPlatform!

• SBOM with license metadata; vulnerability scan report.
• Third-party attestations stored with bundle.
• Periodic key rotation and revocation lists.

Troubleshooting

Stuff happens—here’s how to roll with it. A hash mismatch? Stop the install and fetch the right media. Self-test failure? Revert to the snapshot and attach logs for the team. Thermal throttle? Switch to a Q4 model profile to cool things down. It’s problem-solving with a safety net, now backed by AethergenPlatform’s robust tools!

• Hash mismatch → stop install; fetch correct media.
• Self-test failure → revert to snapshot; attach logs.
• Thermal throttle → switch to Q4 model profile.

FAQ

What if we lose signing keys?

No sweat—our offline root key triggers a recovery ceremony, and field keys can be revoked via lists in the next release. We’ve got your back! This is now implemented in AethergenPlatform!

Can sites customize policies?

You bet—policy packs support site overlays, versioned and signed locally for full control. Live and kicking in AethergenPlatform!

Glossary

• SBOM: Software bill of materials—your AI’s ingredient list.
• QR hash: Compact code of manifest hash for offline check.
• Kiosk: Local station running verification UI.

Release Notes Template (Offline)

Here’s what you’ll see:

Manifest Snippet

A peek inside:

QR Encoding

We make QR codes rugged:

• Encode manifest SHA-256 as base32 with a version prefix.
• Use QR error-correction (M or Q) to handle glare and dust.
• Add a tamper stripe sticker for enclosure panels.

Roles & Responsibilities

Teamwork makes it work:

• Build owner: Signs artifacts and assembles the package.
• QA lead: Verifies golden self-tests and evidence.
• Field engineer: Performs install and kiosk checks.
• Security: Manages keys, revocation lists, audits.

Security Audit Checklist

Before you deploy:

• SBOM present; third-party scans attached.
• Manifests and binaries signed; keys in valid period.
• QR hash matches manifest; kiosk verification passed.
• Local audit log enabled and rotating.

Disaster Recovery (Air-Gapped)

If things go sideways:

1. Power loss during install → boot to recovery media.
2. Restore snapshot; re-run self-tests.
3. File incident with logs and kiosk screenshots.

Device Profiles (Examples)

Tailored to hardware:

• Jetson Orin 16GB: INT8 models; thermal cap 30W; fan curve profile B.
• Industrial PC 32GB: FP16 or Q4; dual-camera ingest; SSD wear limits.

Policy Overlays (Site-Specific)

Custom rules in action:

Change-Control Form

Every change documented:

• Requester, approver, date/time.
• Artifact hashes and versions.
• Risk assessment; rollback plan.
• Post-install verification evidence ID.

Legal & Compliance Notes

Covering the bases:

• License obligations listed in SBOM.
• Site policies for removable media handling.
• Retention policy for evidence logs.

Field Tips

Pro tricks from the field:

• Carry spare QR labels and anti-glare protectors.
• Photograph kiosk pass screen for incident links.
• Label USBs with release and hash fragment.

Contact

Need an offline deployment that procurement and security can sign with confidence? Talk to us.

Contact Sales →