Air-Gapped Software for Enterprises
Air-gapped software runs on networks with no internet connection—required for defense, critical infrastructure, and classified environments. Here's how local-first CRM fits.
Air-gapped computing — running systems on networks physically isolated from the internet and other external networks — is a requirement, not a choice, for some categories of enterprise and government work. Classified defense systems, critical infrastructure controls, financial systems handling nuclear-level transactions, and certain healthcare environments all operate with air-gap requirements.
For most of these organizations, traditional cloud software is simply out of the question. The question is how to get modern software capabilities — including CRM and contact management — in an air-gapped or near-air-gapped environment.
What Air-Gapped Means#
An air gap is a security measure that physically isolates a computer or network from external networks, particularly the internet. The term comes from the physical air gap between isolated and non-isolated hardware.
True air-gapped systems have:
- No internet connection
- No wireless network interfaces (WiFi, Bluetooth disabled or physically removed)
- Physical access controls to prevent unauthorized network connections
- Strict media controls (USB ports may be disabled or monitored)
Partial air-gapping (sometimes called "network segmentation" or "isolated network") allows controlled, monitored connections for specific purposes like patching or data transfer through airlocks — controlled transfer mechanisms with strict protocols.
Air-gapped environments are required for:
- Classified government systems: Systems processing classified national security information must operate on networks physically isolated from the internet
- Critical infrastructure controls: Nuclear power plant control systems, power grid management, water treatment — these often operate on isolated networks
- Sensitive law enforcement systems: Systems containing law enforcement sensitive information
- Financial clearinghouses: Some financial settlement systems
- Military command and control systems
The Air-Gap Problem for Modern Software#
Modern enterprise software is designed for connected networks. SaaS CRM — Salesforce, HubSpot, Pipedrive — requires internet connectivity by design. You can't run Salesforce in an air-gapped environment. It's architecturally impossible: the application is served from Salesforce's servers; your browser connects to those servers; your data is stored there.
Even traditional "on-premise" enterprise software often has unexpected connectivity requirements: license validation servers, update mechanisms, telemetry, integration endpoints. Installing "on-premise" software and then unplugging the network often breaks features or triggers license failures.
This creates a gap in capabilities for air-gapped environments. Organizations that need to track contacts, manage relationships, log communications, and maintain institutional knowledge often fall back to:
- Local Excel/Google Sheets (exported and physically transferred)
- Paper records
- Legacy enterprise software from an era when air-gap was the default
- Custom-built internal tools that are expensive to maintain
None of these are good answers.
Local-First as the Natural Air-Gap Solution#
Local-first software is designed from the ground up to function without internet connectivity. The data is local. The computation is local. The application serves from local storage. An internet connection, if available, is used for optional features like cloud sync or AI API calls — not for core functionality.
This makes local-first software naturally compatible with air-gapped environments. DenchClaw can run on a machine with no internet connection and provide full CRM functionality: contact management, deal tracking, note-taking, relationship history, pipeline management — all working from the local DuckDB database.
The installation itself requires a one-time network connection (npx denchclaw) — but once installed, the application runs entirely from local files. In a formal air-gap deployment, you'd install on a non-air-gapped machine, copy the installation to physical media, and transfer it through your air-gap protocols.
Deployment Patterns for Air-Gapped Environments#
Full Air-Gap Deployment#
For fully air-gapped environments:
- Offline installation: Download the DenchClaw installation package on an internet-connected machine. Package it for offline installation.
- Air-gap transfer: Transfer the package through your approved air-gap transfer process (secure USB, CD-ROM, air-gap transfer station)
- Local install: Install from the transferred package. No internet connection required after this point.
- Local AI models: For AI features, install a local model (Ollama with Llama or Mistral) using the same air-gap transfer process. AI inference will work locally without any external API calls.
- No cloud sync: Configure DenchClaw with no sync enabled. All data stays on the local machine.
Network-Isolated Team Deployment#
For environments that are isolated from the internet but have an internal network:
- Run DenchClaw on an internal server accessible only on your internal network
- Team members connect to the server via your internal network (VPN or direct)
- AI features use a locally-hosted model accessible on the internal network
- No data leaves your controlled network environment
Controlled Air-Lock Data Transfer#
For environments where periodic, controlled data transfer is permitted:
- Primary CRM runs in the air-gapped environment
- Authorized data extracts (DuckDB exports, CSV) are transferred through your air-lock process for analysis on less-restricted systems
- Data imports (new contacts from external sources) follow the same controlled transfer process
Security Considerations for Air-Gapped CRM#
Air-gapped environments have their own security challenges, and software deployed in them needs to account for the threat model:
Physical access controls: If someone can physically access the machine, they can access the data. Disk encryption (FileVault, BitLocker) and physical access controls are essential.
Insider threat: Air-gapped systems are more susceptible to insider threats than internet-connected systems, since external attack vectors are limited. Access logging and audit trails matter.
Media transfer protocols: The air-gap transfer mechanism is often the weakest link. USB drives and other media can carry malware. Strict media controls and transfer protocols are necessary.
Update management: Without internet access, keeping software updated requires deliberate processes. Schedule periodic updates through your air-lock process.
Local AI model security: If using local AI models, the model files themselves should be transferred through approved channels and verified for integrity.
DenchClaw Features That Work Offline#
All core DenchClaw functionality works without internet connectivity:
- Contact management (create, update, search, delete)
- Deal and pipeline tracking
- Document and note management
- Custom views and filters (DuckDB queries)
- Kanban and table views
- Action fields and local automation
- Reports and analytics (all local DuckDB queries)
- Browser automation (if Chrome is available on the network)
Features that require connectivity:
- External AI API calls (Claude, GPT, Gemini) — use local models instead
- Cloud sync
- External data enrichment APIs
For a fully air-gapped deployment, everything except external AI APIs works. Configure Ollama with a local model for AI features.
Comparing Air-Gap Options#
| Approach | Cost | Capability | Air-Gap Compatible |
|---|---|---|---|
| Spreadsheets | Free | Limited | Yes |
| Legacy on-premise CRM | High | Moderate | Varies |
| Cloud CRM (Salesforce, HubSpot) | High | Full | No |
| Custom internal tool | Very high | Variable | Yes |
| DenchClaw (local-first) | Free (MIT) | Full | Yes |
For organizations that need modern CRM capabilities in restricted environments, DenchClaw's local-first architecture provides a compelling combination of capability and deployment flexibility.
Frequently Asked Questions#
Can DenchClaw be installed without any internet connection?#
The initial installation via npx denchclaw requires an internet connection to download the package. Once installed, it runs fully offline. For true air-gap environments, install on a connected machine and transfer the installation through approved media.
Does DenchClaw have any "phone home" behavior?#
DenchClaw does not require internet connectivity to function and does not have mandatory telemetry or license validation that requires network access. This is verifiable from the open-source code.
What local AI model should I use in an air-gapped environment?#
Ollama with Llama 3, Mistral, or similar open-source models works well. Download the model on a connected machine, transfer it through your air-lock process, and configure DenchClaw to use the local Ollama endpoint.
How do I handle software updates in an air-gapped environment?#
Schedule periodic update cycles where you download updated DenchClaw packages on a connected machine, verify integrity, and transfer through your air-lock process. The open-source codebase lets you review changes before deploying.
Ready to try DenchClaw? Install in one command: npx denchclaw. Full setup guide →
