Offline License: Air-Gapped Validation

In this tutorial, you'll issue a QuantumLock license and validate it in a completely air-gapped environment — no network access required. This is essential for sovereign computing, defense, and high-security deployments.

Objective

By the end of this tutorial, you will have:

• ✅ Generated an offline-capable license file
• ✅ Transferred it to an air-gapped machine
• ✅ Validated the license without network access
• ✅ Verified feature entitlements locally

---

Prerequisites

On the Online Machine (License Authority)

# QuantumLock CLI
pip install quantumlock
quantumlock --version
# Should show: quantumlock v2.x.x

# Authenticated with license authority
quantumlock auth status

On the Air-Gapped Machine

# QuantumLock SDK (offline mode)
# Pre-installed via approved package transfer
pip install quantumlock --no-index --find-links ./packages/

---

Architecture Overview

┌─────────────────────┐                    ┌─────────────────────┐
│   ONLINE MACHINE    │                    │  AIR-GAPPED MACHINE │
│  (License Issuer)   │                    │  (License Consumer) │
├─────────────────────┤                    ├─────────────────────┤
│                     │                    │                     │
│  1. Generate key    │ ───USB/Secure───▶ │  2. Import key     │
│  2. Issue license   │     Transfer       │  3. Validate       │
│  3. Export bundle   │                    │  4. Use features   │
│                     │                    │                     │
└─────────────────────┘                    └─────────────────────┘

---

Step 1: Generate Machine Fingerprint (Air-Gapped)

On the air-gapped machine, generate a hardware fingerprint:

quantumlock fingerprint generate --output machine-fingerprint.json

Output:

🔐 Generating machine fingerprint...

   Machine ID: m_8a7b6c5d-4e3f-2a1b-0c9d-8e7f6a5b4c3d
   CPU: AMD EPYC 7763
   Platform: Linux 6.1.0
   Hostname: secure-hpc-node-01
   
✅ Saved to: machine-fingerprint.json

Transfer this file to the license authority for binding.

Transfer machine-fingerprint.json to the online machine (USB, secure channel, etc.).

---

Step 2: Issue License (Online Machine)

On the online machine, issue a license bound to the fingerprint:

quantumlock license issue \
  --customer "Acme Defense Corp" \
  --product "QCOS Enterprise" \
  --features "acos,evidence,unlimited-jobs" \
  --expires "2027-01-04" \
  --fingerprint ./machine-fingerprint.json \
  --offline \
  --output license-bundle.zip

Output:

🔐 Issuing offline license...

   Customer: Acme Defense Corp
   Product: QCOS Enterprise
   Features: acos, evidence, unlimited-jobs
   Expires: 2027-01-04
   Bound to: m_8a7b6c5d-4e3f-2a1b-0c9d-8e7f6a5b4c3d
   Offline: YES ✅
   
📦 License bundle created:
   ├── license.qlicense (signed license file)
   ├── public-key.pem (ML-DSA-65 verification key)
   └── validation-instructions.md
   
✅ Saved to: license-bundle.zip

Transfer this bundle to the air-gapped machine.

---

Step 3: Transfer to Air-Gapped Machine

Transfer license-bundle.zip via approved secure channel (USB, optical media, etc.).

On the air-gapped machine:

unzip license-bundle.zip -d ./license/
ls -la ./license/

total 24
-rw-r--r-- 1 user user  4096 Jan  4 16:00 license.qlicense
-rw-r--r-- 1 user user  2048 Jan  4 16:00 public-key.pem
-rw-r--r-- 1 user user  1024 Jan  4 16:00 validation-instructions.md

---

Step 4: Import License (Air-Gapped)

Import the license and verification key:

quantumlock license import \
  --license ./license/license.qlicense \
  --public-key ./license/public-key.pem

Output:

📥 Importing license...

   License ID: lic_3c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8f
   Customer: Acme Defense Corp
   Product: QCOS Enterprise
   Expires: 2027-01-04
   
🔐 Signature verification (ML-DSA-65)...
   Signature: VALID ✅
   
🖥️ Machine binding verification...
   Expected: m_8a7b6c5d-4e3f-2a1b-0c9d-8e7f6a5b4c3d
   Current:  m_8a7b6c5d-4e3f-2a1b-0c9d-8e7f6a5b4c3d
   Binding: VALID ✅
   
✅ License imported successfully!
   
   Stored at: ~/.quantumlock/licenses/lic_3c4d5e6f...

---

Step 5: Validate License (Air-Gapped)

Validate without any network access:

quantumlock license validate --offline

Output:

🔍 Validating license (offline mode)...

[1/4] License File Integrity
  ├── Hash: sha3-256:7a8b9c0d1e2f...
  └── Status: VALID ✅

[2/4] Signature Verification (ML-DSA-65)
  ├── Algorithm: Dilithium Level 3
  ├── Quantum-Safe: YES
  └── Status: VALID ✅

[3/4] Machine Binding
  ├── Fingerprint match: YES
  └── Status: VALID ✅

[4/4] Expiration Check
  ├── Current: 2026-01-04
  ├── Expires: 2027-01-04
  ├── Days remaining: 365
  └── Status: VALID ✅

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ LICENSE VALID (OFFLINE)

   Customer: Acme Defense Corp
   Product: QCOS Enterprise
   Features: acos, evidence, unlimited-jobs
   
   No network access required for validation.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

---

Step 6: Check Feature Entitlements

Query specific features:

quantumlock features check acos

✅ Feature 'acos' is ENABLED

   Entitled: YES
   Expires: 2027-01-04

quantumlock features list

Feature          Status    Expires
─────────────────────────────────────
acos             ✅ ON     2027-01-04
evidence         ✅ ON     2027-01-04
unlimited-jobs   ✅ ON     2027-01-04
synapsex         ❌ OFF    —

---

Step 7: SDK Integration

Use the license in your Python application:

from quantumlock import QuantumLock

# Initialize in offline mode
ql = QuantumLock(offline=True)

# Validate license
result = ql.validate()
print(f"License valid: {result.valid}")
print(f"Customer: {result.customer}")
print(f"Expires: {result.expires}")

# Check feature
if ql.has_feature("acos"):
    print("ACOS features available!")
    # ... use ACOS functionality
else:
    print("ACOS not licensed")

Output:

License valid: True
Customer: Acme Defense Corp
Expires: 2027-01-04
ACOS features available!

---

Verification Checklist

Check	Command	Expected
License imported	quantumlock license list	Shows license ID
Signature valid	quantumlock license validate	Signature: VALID
Machine bound	quantumlock license validate	Binding: VALID
Features work	quantumlock features check acos	Status: ON

---

Troubleshooting

"Machine fingerprint mismatch"

The license was issued for a different machine. Re-generate fingerprint on the correct machine and re-issue.

# On air-gapped machine
quantumlock fingerprint show

# Compare with license expectation
quantumlock license info --show-binding

"License expired"

Issue a new license with extended expiration:

quantumlock license renew --license-id lic_3c4d5e6f... --extend-years 1

"Public key not found"

Ensure the public key was imported:

quantumlock keys import ./license/public-key.pem

---

Security Considerations

Why ML-DSA (Dilithium)?

QuantumLock uses ML-DSA-65 (NIST-standardized Dilithium) because:

• Resistant to quantum computer attacks
• Suitable for long-term license validity (5+ years)
• NIST FIPS 204 compliant

Revocation in Offline Mode

For offline licenses, revocation requires:

1. Issuing a new license with revocation list embedded
2. Periodic "refresh" bundles (optional, configurable)

---

Next Steps

• License Artifact Signing — Sign custom artifacts
• QuantumLock API Reference — Programmatic license management
• Enterprise Deployment — Large-scale rollout

---

Sovereign Computing

For government and defense deployments, we offer FIPS 140-3 validated builds and on-premise license authorities. Contact enterprise@softquantus.com.