Air-gapped / offline

Deploying and updating Password Pusher Pro without outbound internet—image transfer, compose files, and what to plan for.

This article applies to: Pro Self-Hosted

Air-gapped / offline

Air-gapped (or offline) here means your runtime environment has no outbound internet—or you must not pull images or run curl from the host where the app runs. Data and pushes still stay on your infrastructure; the constraint is how you get the container image and install files onto that host.

The standard install flow uses a personalized curl | sh command and pulls from the private registry. In a disconnected network you replace that with a transfer + load workflow.

---

What you need on the isolated host

• Docker and Docker Compose (see System requirements).
• Images — Pro app image(s) for your plan (Starter/Advanced/Enterprise) loaded into the local Docker daemon (e.g. via docker load after transferring a tarball from a connected machine).
• docker-compose.yml and .env — Same files the install script would have written. Obtain them from a one-time run of your install command on a connected staging host, or from Apnotic support if your process requires it—treat .env like a secret (see Backups — encryption keys & .env).
• No reliance on docker compose pull on the air-gapped host until you’ve loaded newer images manually.

---

Typical workflow (high level)

1. On a connected machine (bastion / build host):
   • Run your authorized install so you have the correct docker-compose.yml and .env for your license, or follow the process Apnotic provides for your contract.
   • Save images to a tarball, e.g. docker save -o pwpush-pro.tar <image-name> Include Enterprise PostgreSQL image if you use that stack.
2. Transfer the tarball(s), docker-compose.yml, and .env to the air-gapped host by your approved channel (USB, sneakernet, internal artifact repo, etc.).
3. On the air-gapped host:
   • docker load -i pwpush-pro.tar (and any other tarballs).
   • Place docker-compose.yml and .env in one directory; ensure image: in the compose file matches the loaded image name/tag.
   • docker compose up -d from that directory.
4. First admin — Same as online: boot code from docker compose logs pwpush-pro, then open the app URL. See Getting started checklist.

Exact image names depend on your plan (e.g. standard vs advanced vs enterprise). Use docker images after load to confirm tags before up -d.

---

Updates without registry access

• No docker compose pull on the air-gapped host unless you’ve pre-loaded new images.
• Process: On a connected machine, pull or save the new image version → transfer tarball → docker load on the isolated host → docker compose up -d to recreate containers. See Operations — Update the application for the compose commands; substitute load for pull.

---

Privacy and license validation (EULA)

Password Pusher is built so your data stays yours. When the app does contact Apnotic, it is only for license validation—not for your pushes, requests, or user content. The Self-Hosted Pro EULA states this explicitly:

The Software may occasionally initiate outbound connections to license validation endpoints solely for the purpose of validating your license, downloading license updates (for example for “add-on” purchases), and processing license renewals. These connections transmit only license-related information (such as license keys and tokens) and do not transmit any of Your Data, including sensitive information or user content.

To be absolutely clear: Apnotic has no ability to access Your Data, and we never will. Your sensitive information, passwords, user content, and all other data stored within your self-hosted deployment remain completely private and inaccessible to Apnotic. We cannot see it, we do not want to see it, and we have designed the Software specifically to ensure that your data stays within your control at all times.

If you prefer complete network isolation, you are free to block outbound connections to our license validation endpoints entirely. In that case, you would need to manually enter updated license keys and license token payloads when renewing or upgrading your subscription.

Full EULA (PDF): eula-self-hosted-pro.pdf

That manual path is what Administration Center → Licensing and the license token from support are for—so you can run without any outbound license calls if your policy requires it.

---

Licensing without outbound fetching

If the application must not automatically fetch or validate the license over the network, Apnotic support can provide a license token for your deployment.

1. Request a license token from Apnotic support (include your license/domain context).
2. Paste the token in the app under Administration Center → Licensing.
3. The app uses that token locally, so it does not need to reach out for automatic license fetching.

Treat the token like other secrets—store it in your password manager or secure backup alongside your .env backup if you document recovery procedures.

If your policy is unusual (e.g. token rotation or compliance review), contact Apnotic so support and licensing stay aligned with your air-gapped process.

---

Related

Topic	Doc
Standard install flow	How it works
Ordered first-run steps	Getting started checklist
Start / restart / logs	Operations
Back up .env with DB	Backups
Plans & support	Overview
EULA (Self-Hosted Pro)	eula-self-hosted-pro.pdf