grith.aidocs

Air-gapped deployment

enterprise

Run grith with no outbound internet, including self-hosted dashboard.

EnterprisePlanned

For Enterprise customers in environments without outbound internet — classified networks, regulated industries, isolated R&D labs.

ℹ️Planned for v2.0

Full air-gapped Enterprise deployment ships in v2.0. The v0.1 community / Pro stack supports offline-only operation today; the missing pieces are offline license activation and self-hosted dashboard, both in the v2.0 plan. See Air-gapped deployment (guide) for the v0.1 offline-leaning configuration.

What v2.0 ships

  • Offline license activation via signed license files. Generated by an online dashboard, transferred manually to air-gapped devices, validated locally.
  • Self-hosted dashboard — full dashboard runnable on-prem. Hosts the team key, policy bundles, SIEM connectors, channel configs. Syncs to devices over the customer's LAN.
  • Air-gapped update channel — signed tarball releases distributed by the customer's IT pipeline. grith update --bundle release-v2.0.tar.gz.
  • Manual canary rotation — without an internet round-trip.

Architecture (planned)

┌─────────────────────────────────────────────────────────┐
│                   air-gapped network                    │
│                                                         │
│   ┌─────────────────┐         ┌──────────────────┐      │
│   │ self-hosted     │◄────────│  developer       │      │
│   │ grith dashboard │         │  devices (grith) │      │
│   │ (on-prem VM)    │         │  ─ sync          │      │
│   └─────────────────┘         │  ─ audit summary │      │
│           ▲                   │  ─ refresh       │      │
│           │                   └──────────────────┘      │
│           │                                             │
│   ┌───────┴──────────┐                                  │
│   │ on-prem SIEM     │                                  │
│   │ (Splunk/Elastic) │                                  │
│   └──────────────────┘                                  │
└─────────────────────────────────────────────────────────┘
       ▲
       │ manual transfer (USB, mirrored repo, signed tarball)
       ▼
   ┌──────────────────┐
   │ online grith.ai  │  (for license issuance only)
   └──────────────────┘

License issuance flow (planned)

  1. Customer's admin uses an online machine to authenticate to grith.ai.
  2. Generates a per-device license signed by grith.ai's release key.
  3. Transfers the license file to the target device via the customer's existing media-transfer mechanism (mirrored repo, signed USB, etc.).
  4. On the device: grith pro activate ./license.signed. Validates locally, no network needed.

License files include valid_until. For ongoing operation, customers cycle new license files in on schedule (typically monthly or quarterly).

Update flow (planned)

# Online admin machine:
grith-admin fetch-bundle --version 2.0.1 --output ./bundle-2.0.1.tar.gz

# Transfer bundle to air-gapped network

# Air-gapped device:
grith update --bundle ./bundle-2.0.1.tar.gz

Bundles are signed; devices verify before applying.

Today (v0.1) workaround

The v0.1 offline configuration covers the supervision and filter pipeline fully. What's missing:

  • License refresh requires periodic online connectivity (24h grace).
  • No self-hosted dashboard (use the CLI and grith log --tail instead).
  • No team sync from on-prem (use manual config file distribution).

See Air-gapped deployment guide for the v0.1 offline-config recipe.

See also

PreviousSIEM integrationNextRunning as a daemon
Last updated: 2026-05-14Edit this page on GitHub →
© 2026 grith. All rights reserved.