What is an air-gapped Root CA?

An air-gapped system is a computer that is physically isolated from any network, including the internet. For a Root CA, this means the system containing your root private key has never been and will never be connected to any network.

Data transfer to and from an air-gapped system is done exclusively via secure removable media (such as USB drives), with strict procedures to prevent any form of network bridging.

Why Air-Gap Your Root CA?

• Eliminates remote attack vectors completely
• Protects against malware and network-based threats
• Required by many compliance standards (ISO 27001, BSI)
• Industry best practice for PKI security

Recommended Setup

• Dedicated hardware with no network interfaces
• Physical security (locked room, access controls)
• YubiHSM for secure key storage
• Documented procedures for all operations