Air-Gapped Device

An air-gapped device is one physically isolated from any network. No Wi-Fi, no Bluetooth, no Ethernet, no cellular. Data movement in and out happens only through physical media (USB drive, SD card) or, in the strictest deployments, through manual transcription. Used in high-security environments where the cost of network compromise outweighs the convenience of network connectivity.

What it means in practice

The air gap is a strong defense and a brittle one. Strong: malware cannot exfiltrate data over a network that does not exist, remote attackers cannot reach the device, and the time-to-compromise becomes the time-to-physical-access. Brittle: the air gap fails the moment someone plugs in a USB drive that came from a network-connected machine (the Stuxnet attack on Iranian nuclear centrifuges used exactly this vector), and modern research has demonstrated covert data exfiltration through speakers, hard drive vibrations, screen flicker, electromagnetic emissions, and USB charging signals (the air-gap-bridging side-channel literature is rich and unsettling). The air gap is the right tool for storing the secret that matters most; it is the wrong tool for daily-driver work.

Where it shows up

Standard practice for: cryptocurrency cold storage (the seed phrase generation device should never have been online), classified-information handling in government environments (SCIF computers are physically isolated from internet-connected networks), critical industrial control systems in some sectors (power generation, water treatment, though increasingly compromised by IT/OT convergence pressures), legal-discovery review of seized devices (the analysis machine is air-gapped to prevent accidental modification of evidence), and high-target operators storing the master keys to their digital lives (PGP master key, password vault backup, recovery seed for hardware wallets).

What you can change today

If you have a piece of data whose loss or exposure would be catastrophic (master encryption keys, recovery phrases, sensitive source documents), put it on an air-gapped device. Practical implementation: a Raspberry Pi without Wi-Fi/Bluetooth modules, an old laptop with the wireless cards physically removed, a dedicated burner that is never connected to a network. Store the device in a safe or off-site location. Move data in via SD card from a computer you trust, with the SD card formatted on the air-gapped device after each transfer to defeat USB-based malware transmission. The convenience cost is high; the protection it buys for the right asset is correspondingly high.

Related articles