Airgapped Support

EPM fully supports deployment in environments where endpoints cannot connect to the Keeper cloud backend — including classified networks, air-gapped data centers, and highly regulated environments with outbound internet restrictions. This page covers offline agent registration, local policy management, and the operational differences between online and airgapped deployments.

Overview of Airgapped Operation

In a standard online deployment, the KEPM agent registers with the Keeper cloud backend over HTTPS, receives policies via sync-down, and posts audit events and inventory data to the cloud. In an airgapped deployment, none of those network paths are available.

KEPM addresses this through two mechanisms:

1. Offline registration — A two-step process that allows an agent to obtain a valid registration without ever making a direct connection to the Keeper backend.

2. Local policy files — Policies deployed as JSON files directly on the endpoint, which the agent loads and enforces without requiring cloud connectivity.

Both mechanisms can be used together or independently. It is also possible to run in a hybrid mode where the agent syncs with the backend when connectivity is periodically available, and falls back to local policies when it is not.

Offline Registration

Standard registration requires the agent to reach the Keeper backend directly. Offline registration replaces the direct connection with a two-step data transfer process that can be carried out via USB, network share, or any other file transfer method available in your environment.

Local Policy Files

In both fully airgapped and hybrid deployments, policies can be deployed as JSON files placed directly in the policies/ folder within the KEPM installation directory:

The KeeperPolicy plugin monitors this folder and reloads automatically when files are added, modified, or removed — no service restart is required.

Local policy files take precedence over server-synced policies. If a local file contains a policy with the same PolicyId as a server policy, the local version is used. This allows local overrides in specific environments without affecting the broader fleet configuration.

Two file formats are supported:

Preprocessed policy registry format — A full snapshot of the policy registry as exported from a running KEPM instance. This is the recommended format for airgapped deployments because it captures the complete evaluated state including resolved collections. Export this from a connected machine by copying its currentPolicies.json file.

Raw policy template format — Individual policy JSON files in the same format used to define policies in the Admin Console. These are preprocessed by the local agent on load.

Importing Encrypted Policy Data

For environments where local policy files need to stay synchronized with the central policy configuration, KEPM supports importing an encrypted policy data package — a file containing the same SyncDownResponse payload the agent would normally receive over the network, encrypted with the agent's public key.

Process:

1. On a connected machine with access to the Keeper backend, export the policy data for the target airgapped agent. The export is encrypted with that agent's public key, so it can only be decrypted by the specific agent it was generated for.

2. Transfer the encrypted binary file to the airgapped machine via your available transfer method.

3. Send an OfflinePolicyData message to the local MQTT API with the path to the file.

The agent decrypts the file, processes the policies exactly as it would a live sync-down response, and updates the active policy registry.

Common errors:

Hybrid Deployments

In a hybrid deployment, agents can connect to the backend periodically (for example, monthly or when manually connected to a management VLAN) and sync normally. Between connections, they enforce the policies that were last synced, supplemented by any local policy files in the policies/ folder.

This is the simplest approach for environments with intermittent connectivity. No special configuration is required — the agent automatically syncs when connectivity is available and falls back to cached policies when it is not.

Audit Events in Airgapped Environments

The KEPM agent queues audit events locally when the backend is unreachable. When connectivity is restored, the queued events are posted automatically. Events are stored in the agent's unified storage and are not lost during service restarts.

For environments where connectivity is never restored (fully permanent airgap), audit events accumulate locally and should be extracted via the local HTTP API or log files for forwarding to your internal SIEM or audit system. See Reading Logs for log file paths and formats.

Security Considerations

Registration data is encrypted end-to-end. The AgentData package returned during offline registration is encrypted with the agent's public key. Even if the transfer medium is intercepted, the data cannot be used to register a different agent.

Policy files must be protected from unauthorized modification. Local policy files take precedence over server-synced policies. Ensure the policies/ folder is writable only by the service account. See the Security Hardening guide for recommended file permission settings.

Encrypted policy import is agent-specific. An encrypted policy data file generated for one agent cannot be used on another agent — the decryption will fail. This prevents policy data files from being replayed across machines.