self-hosting
Air-gapped install
Build a self-contained bundle on a connected host, transfer one tarball, and install VaultTerm on a disconnected host that never reaches the network.
Updated Jun 23, 2026
VaultTerm installs fully air-gapped. You build a self-contained bundle on a connected machine, transfer a single tarball, and bring the stack up on the disconnected host — nothing is pulled or built there. The license verifies offline too, so the install never phones home.
Build the bundle (connected host)
On a connected host with the repository and Docker, run bundle-offline.sh with a version tag:
cd deploy/onprem
./bundle-offline.sh v1.0.0 # produces dist/vaultterm-onprem-v1.0.0.tar.gz
The script builds the app image, pulls postgres:16 and redis:7, and saves all three into one
tarball alongside the compose file, .env.example, and a generated install-offline.sh. The result is
self-contained: it carries everything the disconnected host needs.
| In the bundle | Why |
|---|---|
app image | the VaultTerm application, prebuilt |
postgres:16 image | the bundled database |
redis:7 image | the bundled cache |
docker-compose.yml | the stack definition |
.env.example | the configuration template |
install-offline.sh | loads the images and starts the stack |
Transfer
Move the tarball to the air-gapped host by whatever approved channel you use — removable media, an internal transfer host, a data diode. No registry access is needed on the destination.
Install (disconnected host)
Extract the tarball, then run install-offline.sh twice. The first run loads the images, seeds
.env from the template, and exits so you can edit it. The second run starts the stack from the loaded
image.
tar -xzf vaultterm-onprem-v1.0.0.tar.gz -C /opt/vaultterm
cd /opt/vaultterm
./install-offline.sh # first run: loads images, seeds .env from the template, exits
# edit .env — secrets, URLs (same minimum set as the connected install)
./install-offline.sh # second run: starts the stack from the loaded image
The first run never starts containers if .env is missing — it creates it and tells you to edit it. The
second run uses the pre-loaded image and never attempts to build, so the disconnected host needs no
compiler, no registry, and no outbound network. Set the same minimum variables as a connected install
(POSTGRES_PASSWORD, JWT_SECRET, DEV_MASTER_KEY, APP_BASE_URL, RP_ID/RP_ORIGIN) — see
Install with Docker Compose.
The license verifies offline
On-prem reads its entitlements from a signed .vtlic file, verified locally against a built-in
vendor public key. There is no activation call and no license server to reach, so an air-gapped install
verifies its license like any other — nothing leaves the host. The connected over-deployment heartbeat
is off unless you explicitly set its URL, so an air-gapped install never phones home. See
Licensing and activation for the full license model.
Next
- Licensing and activation — install and renew the
.vtlic. - Upgrading — rebuild the bundle and re-run the installer.
- Backups and recovery — what to back up before you upgrade.