Privacy-First Tools for Air-Gapped Environments

Introduction

We've built three tools for air-gapped environments: Cleanroom Whisper for voice transcription, AirGap Deploy for packaging applications, and AirGap Transfer for moving large files across the air gap.

The Problem: Computing in Isolation

Imagine you're a researcher working with sensitive patient data, a government employee handling classified information, or a financial analyst working in a secure trading environment. Your computer isn't connected to the internet—not because of a network problem, but by design. This isolation, called an "air gap," is one of the strongest security measures available.

But working offline presents unique challenges. How do you transcribe interview recordings when cloud-based services aren't an option? How do you deploy new software when you can't simply run pip install or download from the internet? How do you transfer a 20GB dataset when it won't fit on a single USB drive?

For years, the answer has been either expensive enterprise solutions, manual workarounds prone to human error, or platform-specific tools that only work on macOS. If you needed cross-platform, affordable, and privacy-respecting tools for offline computing, you were largely out of luck.

That's why we built these tools.

Three Tools for Offline Computing

We've developed three foundation projects designed specifically for computing in isolated, offline environments:

Cleanroom Whisper converts your voice to text completely offline, using no cloud services. Press a hotkey, speak your thoughts, and get instant transcription—perfect for quick notes, meeting documentation, or accessibility needs.

AirGap Deploy packages applications and all their dependencies into a single bundle that can be installed on air-gapped systems. No more hunting down missing libraries or trying to compile software without internet access.

AirGap Transfer safely moves large files and datasets across the air gap, even when they're too big for a single USB drive. It automatically chunks data, verifies integrity, and reassembles everything on the other side.

All three are designed from the ground up with a single philosophy: privacy through data locality. Your data never leaves your machine. There's no network code, no telemetry, no "phoning home." Everything stays exactly where you put it.

And because all three tools are written in Rust with minimal dependencies, they work consistently across macOS, Windows, and Linux—no virtualization, no cloud accounts, no subscriptions required.

These three projects form the core foundation that is being actively developing in the near term. They're designed not just as standalone tools, but as building blocks that demonstrate patterns and principles for privacy-first, offline computing.

Cleanroom Whisper: Your Private Voice Assistant

Have you ever been in a meeting where you wanted to capture a quick thought but didn't want to break your focus by typing? Or perhaps you've conducted interviews that needed transcription but couldn't use cloud services for privacy reasons?

Cleanroom Whisper addresses this. It's a system tray application that listens for a global hotkey (like Ctrl+Alt+R). Press the hotkey once to start recording, speak your memo, then press it again to stop. Within seconds, you have accurate text transcription—completely offline.

Real-world example: A healthcare researcher conducting patient interviews can transcribe recordings locally, keeping sensitive health information on their secure machine. A productivity enthusiast can capture task ideas by voice while keeping hands on the keyboard. Someone with mobility limitations can use it as an accessibility tool for hands-free text input.

Unlike cloud-based tools like Otter.ai or Fireflies that require subscriptions and send your audio to external servers, Cleanroom Whisper processes everything locally using whisper.cpp. Unlike macOS-only tools like MacWhisper or Superwhisper, it works consistently across all major platforms.

The application runs silently in your system tray with no main window cluttering your screen. Your transcription history is stored locally in SQLite, and you can access recent transcriptions with a click or copy the latest one instantly with another hotkey (Ctrl+Alt+C).

We couldn't find existing cross-platform, open-source voice transcription tools designed for quick capture workflows in air-gapped environments, so we built one.

Learn more: Cleanroom Whisper documentation

AirGap Deploy: Package Once, Deploy Anywhere

Now imagine you've built a useful application—perhaps a data analysis tool or a machine learning model—and you need to deploy it to air-gapped systems. The traditional approach involves:

Manually downloading every dependency
Copying them to USB drives
Figuring out build instructions on the offline machine
Discovering you forgot a critical library
Starting over

AirGap Deploy automates this entire workflow. You create a simple TOML manifest file that describes your application, its dependencies, and how to build it. Run one command (airgap-deploy prep), and it downloads everything needed, packages it into a single archive, and generates platform-specific installation scripts.

Real-world example: A developer building an offline voice transcription app (like Cleanroom Whisper itself!) can create a manifest that includes the Rust application, whisper.cpp binary, pre-trained model files, and all required build tools. Transfer the package via USB, run the install script on the air-gapped machine, and everything builds and installs automatically—no internet required.

This is fundamentally different from existing tools. Kubernetes-based solutions like Zarf and UDS are excellent for containerized server workloads but require heavy infrastructure. Docker provides containers but needs a daemon running on the target system. Language-specific tools like pip download or cargo-vendor handle only one component type. Enterprise tools like JFrog Artifactory require expensive licenses and complex setup.

AirGap Deploy is lightweight (single Rust binary), declarative (human-readable TOML manifests), and comprehensive (handles applications, binaries, models, and system packages in one workflow). It's designed for release engineers and developers who need to package desktop applications for air-gapped deployment—not enterprise IT managing datacenter infrastructure.

We couldn't find existing tools for packaging Rust applications with ML models for air-gapped desktop deployment, so we built one.

Learn more: AirGap Deploy documentation

AirGap Transfer: Moving Data Across the Air Gap

Here's a common scenario: You've used AirGap Deploy to create a 25GB package containing your application, models, and dependencies. Great! Except your USB drives are only 16GB each. How do you get this package across the air gap?

Traditionally, people use tar with split to manually chunk files, carefully calculate sizes, track which chunk goes on which drive, and manually verify checksums. It's tedious, error-prone, and if you forget to verify one chunk, you might not discover corruption until it's too late.

AirGap Transfer automates this "sneaker net" workflow. Run airgap-transfer pack large-package.tar.gz /media/usb --chunk-size 16GB and it automatically splits your data across multiple USB drives, generates a manifest tracking all chunks, and creates checksums for integrity verification.

Real-world example: A defense contractor needs to transfer 50GB of classified training data to an isolated analysis system. AirGap Transfer chunks it across four 16GB USB drives, tracks everything in a JSON manifest, and verifies each chunk with SHA-256 checksums. On the air-gapped machine, airgap-transfer unpack reconstructs the original data and verifies integrity automatically.

This is different from rsync (which is excellent for local synchronization but doesn't handle multi-USB orchestration), enterprise backup solutions like Commvault or Veeam (which require expensive licenses and complex infrastructure), or hardware solutions like data diodes (which cost thousands and only work in one direction).

AirGap Transfer includes checksum verification and resume capability. It's free, open source, and works with any USB storage on any platform.

Learn more: AirGap Transfer documentation

How They Work Together

Each tool solves a specific problem, and they also integrate well:

Complete offline workflow: A developer uses AirGap Deploy to package Cleanroom Whisper with all dependencies and model files (20GB total). The package is too large for a single USB drive, so they use AirGap Transfer to chunk it across multiple drives with verification. On the air-gapped machine, they use AirGap Transfer to reconstruct the package, then run the installation script generated by AirGap Deploy. Once installed, Cleanroom Whisper provides offline voice transcription capability.

You can:

Develop applications with complex dependencies
Package them with AirGap Deploy's declarative manifests
Transfer them safely with AirGap Transfer's chunking and verification
Deploy automatically with generated install scripts
Use privacy-respecting tools like Cleanroom Whisper

Each tool works independently—you can use AirGap Transfer without AirGap Deploy, or Cleanroom Whisper without either—but together they form a complete solution for air-gapped computing.

The technical foundation is consistent across all three: Rust for reliability and cross-platform support, minimal dependencies to avoid complexity, and zero network code to guarantee privacy. Everything is open source with no vendor lock-in.

A Foundation for the Future

This integrated architecture isn't just useful today—it demonstrates patterns that can support future air-gapped tools. The principles of privacy through data locality, minimal dependencies, and cross-platform Rust development provide a solid foundation. We're focused on these three projects for now, but the architecture is intentionally designed to support an expanding ecosystem of air-gapped computing tools.

Learn more: Meta-Architecture | Design Principles

Who Benefits?

These tools are designed for anyone who needs to work in isolated environments or values complete data privacy:

Government and defense: Deploy classified applications, transfer sensitive datasets, transcribe briefings—all without network exposure or security compromises.

Healthcare: Process patient recordings, analyze sensitive health data, deploy HIPAA-compliant tools—without sending Protected Health Information to cloud services.

Finance: Run analysis tools in isolated trading systems, transfer market data securely, maintain audit trails with cryptographic verification.

Research: Transcribe sensitive interviews, deploy analysis tools to secure labs, transfer large datasets while maintaining data integrity.

Privacy-conscious individuals: Anyone who wants voice transcription, software deployment, or file transfer without cloud dependencies or telemetry.

The common thread: keeping data local instead of sending it to external servers.

Getting Started

Ready to try it out? Each tool is available as source code and will be available as pre-built binaries once development is complete.

Cleanroom Whisper: Build from source with Cargo, configure whisper.cpp path, and start transcribing with global hotkeys. Useful for taking notes by voice or for accessibility needs. Learn more

AirGap Deploy: Create a TOML manifest, run airgap-deploy prep, and generate deployment packages for air-gapped systems. Learn more

AirGap Transfer: Split large files with airgap-transfer pack, physically transfer USB drives, and reconstruct with airgap-transfer unpack. Learn more

All three projects are open source and welcome contributions. These foundation tools represent the near-term development focus, but we have ideas for additional projects and we're eager to collaborate with others who share the vision of privacy-first computing.

Have ideas for air-gapped tools? Want to build on this foundation? Whether you're interested in contributing to these three projects, proposing new tools that fit the ecosystem, or building your own projects on these principles—the community is here to help. The patterns established by Cleanroom Whisper, AirGap Deploy, and AirGap Transfer can serve as a foundation for a broader ecosystem of offline-capable tools.