# Airgapped Support

EPM fully supports deployment in environments where endpoints cannot connect to the Keeper cloud backend — including classified networks, air-gapped data centers, and highly regulated environments with outbound internet restrictions. This page covers offline agent registration, local policy management, and the operational differences between online and airgapped deployments.

## Overview of Airgapped Operation

In a standard online deployment, the KEPM agent registers with the Keeper cloud backend over HTTPS, receives policies via sync-down, and posts audit events and inventory data to the cloud. In an airgapped deployment, none of those network paths are available.

KEPM addresses this through two mechanisms:

1. **Offline registration** — A two-step process that allows an agent to obtain a valid registration without ever making a direct connection to the Keeper backend.
2. **Local policy files** — Policies deployed as JSON files directly on the endpoint, which the agent loads and enforces without requiring cloud connectivity.

Both mechanisms can be used together or independently. It is also possible to run in a **hybrid mode** where the agent syncs with the backend when connectivity is periodically available, and falls back to local policies when it is not.

## Offline Registration

Standard registration requires the agent to reach the Keeper backend directly. Offline registration replaces the direct connection with a two-step data transfer process that can be carried out via USB, network share, or any other file transfer method available in your environment.

{% stepper %}
{% step %}
**Initialize Registration on the Airgapped Machine**

With the KEPM service running on the airgapped machine, send an `OfflineRegisterInit` request via the local MQTT API. This generates a registration initialization payload containing the agent's public key and machine identifier, without requiring any network access.

**The response from this step contains:**

* `AgentUID` — The unique identifier that will represent this agent
* `PublicKey` — The agent's ECDSA public key (Base64URL encoded)
* `MachineID` — A hash identifying this machine

**Export this data and transfer it to a connected machine** using your available transfer method (USB drive, printed QR code, internal file share, etc.).
{% endstep %}

{% step %}
**Complete Registration on a Connected Machine**

On a connected machine (or through an administrator with access to the Keeper Admin Console), use the exported initialization data to complete the registration. The Keeper backend will encrypt the resulting registration data (the `AgentData` package) using the agent's public key — meaning only the specific airgapped agent can decrypt it.

**Transfer the encrypted `AgentData` file back to the airgapped machine** and provide it to the agent via an `OfflineRegisterComplete` request.

**After Registration**

Once offline registration is complete, the agent behaves exactly as it would after online registration — it has a registered identity, can load policies, and generates audit events. Audit events are queued locally until connectivity is available to post them.

To re-register or update registration on an already-registered airgapped agent, include `"ForceRegister": true` in the initialization request, or unregister the agent first using the `KeeperUnregistrationHelper`.
{% endstep %}
{% endstepper %}

## Local Policy Files

In both fully airgapped and hybrid deployments, policies can be deployed as JSON files placed directly in the `policies/` folder within the KEPM installation directory:

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="125.3333740234375">Platform</th><th>Policies folder</th></tr></thead><tbody><tr><td>Windows</td><td><code>C:\Program Files\Keeper Security\Endpoint Privilege Management\Plugins\bin\KeeperPolicy\policies\</code></td></tr><tr><td>Linux</td><td><code>/opt/keeper/sbin/Plugins/bin/KeeperPolicy/policies/</code></td></tr><tr><td>macOS</td><td><code>/Library/Keeper/sbin/Plugins/bin/KeeperPolicy/policies/</code></td></tr></tbody></table>

The KeeperPolicy plugin monitors this folder and reloads automatically when files are added, modified, or removed — no service restart is required.

**Local policy files take precedence over server-synced policies.** If a local file contains a policy with the same `PolicyId` as a server policy, the local version is used. This allows local overrides in specific environments without affecting the broader fleet configuration.

### **Two file formats are supported:**

*Preprocessed policy registry format* — A full snapshot of the policy registry as exported from a running KEPM instance. This is the recommended format for airgapped deployments because it captures the complete evaluated state including resolved collections. Export this from a connected machine by copying its `currentPolicies.json` file.

*Raw policy template format* — Individual policy JSON files in the same format used to define policies in the Admin Console. These are preprocessed by the local agent on load.

## Importing Encrypted Policy Data

For environments where local policy files need to stay synchronized with the central policy configuration, KEPM supports importing an encrypted policy data package — a file containing the same `SyncDownResponse` payload the agent would normally receive over the network, encrypted with the agent's public key.

### **Process:**

1. On a connected machine with access to the Keeper backend, export the policy data for the target airgapped agent. The export is encrypted with that agent's public key, so it can only be decrypted by the specific agent it was generated for.
2. Transfer the encrypted binary file to the airgapped machine via your available transfer method.
3. Send an `OfflinePolicyData` message to the local MQTT API with the path to the file.

The agent decrypts the file, processes the policies exactly as it would a live sync-down response, and updates the active policy registry.

### **Common errors:**

<table data-header-hidden="false" data-header-sticky><thead><tr><th width="236">Error</th><th>Cause</th></tr></thead><tbody><tr><td><code>not registered</code></td><td>The agent must complete registration before importing policy data</td></tr><tr><td><code>Filename does not exist</code></td><td>The path to the policy data file is incorrect or inaccessible</td></tr><tr><td>Decryption failure</td><td>The policy data file was encrypted for a different agent</td></tr></tbody></table>

## Hybrid Deployments

In a hybrid deployment, agents can connect to the backend periodically (for example, monthly or when manually connected to a management VLAN) and sync normally. Between connections, they enforce the policies that were last synced, supplemented by any local policy files in the `policies/` folder.

This is the simplest approach for environments with intermittent connectivity. No special configuration is required — the agent automatically syncs when connectivity is available and falls back to cached policies when it is not.

## Audit Events in Airgapped Environments

The KEPM agent queues audit events locally when the backend is unreachable. When connectivity is restored, the queued events are posted automatically. Events are stored in the agent's unified storage and are not lost during service restarts.

For environments where connectivity is never restored (fully permanent airgap), audit events accumulate locally and should be extracted via the local HTTP API or log files for forwarding to your internal SIEM or audit system. See [Reading Logs](/keeperpam/endpoint-privilege-manager/user-guides/reading-logs.md) for log file paths and formats.

## Security Considerations

**Registration data is encrypted end-to-end.** The `AgentData` package returned during offline registration is encrypted with the agent's public key. Even if the transfer medium is intercepted, the data cannot be used to register a different agent.

**Policy files must be protected from unauthorized modification.** Local policy files take precedence over server-synced policies. Ensure the `policies/` folder is writable only by the service account. See the [Security Hardening](/keeperpam/endpoint-privilege-manager/user-guides/security-hardening.md) guide for recommended file permission settings.

**Encrypted policy import is agent-specific.** An encrypted policy data file generated for one agent cannot be used on another agent — the decryption will fail. This prevents policy data files from being replayed across machines.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/user-guides/airgapped-support.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.