Offline License Activation (Air-Gapped)¶

Section: Licensing | Article 13
Audience: IT Administrators
Last Updated: 2026-04-07

Overview¶

RP-PAM supports offline license activation for environments that cannot reach the internet. This includes air-gapped networks, classified environments, and networks with strict outbound firewall policies that block all HTTPS traffic.

In offline mode, RP-PAM does not attempt to contact the Ravenphyre License Verification Service (LVS). Instead, the license is cryptographically bound to your specific deployment using a deployment fingerprint.

When to Use Offline Activation¶

Use offline activation if any of the following apply:

Your RP-PAM server has no outbound internet access and cannot be granted it
Your security policy prohibits any outbound connections from servers in the secure zone
You are deploying in a classified or air-gapped network
You cannot deploy an LVS Relay on a network segment with internet access

If your server has internet access (even intermittent), online activation is simpler and recommended. If your server lacks internet but a nearby host has it, consider the LVS Relay approach instead.

How Offline Activation Works¶

The process has four steps:

   RP-PAM Server              You (Sneakernet)           Ravenphyre
   (air-gapped)                                          (support@ravenphyre.net)
        |                          |                          |
   1. Generate fingerprint ------> |                          |
        |                     2. Submit fingerprint --------> |
        |                          |                     3. Generate bound license
        |                     4. Receive bound license <----- |
   5. Import bound license <------ |                          |
        |                          |                          |

Generate a deployment fingerprint on the RP-PAM server.
Transfer the fingerprint to a machine with internet access (via USB, file share, email, etc.).
Submit the fingerprint to the Ravenphyre portal to receive a bound license.
Transfer the bound license back to the RP-PAM server.
Import the bound license and enable offline mode.

Step 1 — Generate the Deployment Fingerprint¶

The fingerprint is a unique identifier derived from your server's hardware and RP-PAM installation. It ensures the license can only be used on this specific deployment.

Windows (PowerShell)¶

& "C:\Program Files\Ravenphyre\RP-PAM\rppam.exe" license fingerprint --output "C:\Temp\rppam-fingerprint.txt"

Linux (Bash)¶

sudo /opt/rppam/rppam license fingerprint --output /tmp/rppam-fingerprint.txt

Docker¶

docker exec rppam /opt/rppam/rppam license fingerprint --output /tmp/rppam-fingerprint.txt
docker cp rppam:/tmp/rppam-fingerprint.txt ./rppam-fingerprint.txt

The fingerprint file contains a single string that looks like:

RPPAM-FP-a3f8c1d2e5b7...long_hex_string...9f4e

Note: The fingerprint does not contain any sensitive information. It is safe to transfer via email or unencrypted media.

Step 2 — Submit the Fingerprint to Ravenphyre¶

Transfer rppam-fingerprint.txt to a machine with internet access using your preferred method (USB drive, file share, SCP to a bastion host, etc.).

Via Email¶

Email your deployment fingerprint file (rppam-fingerprint.txt) to support@ravenphyre.net.
Include your license key (RPPAM-XXXX-XXXX-XXXX-XXXX-XXXX) in the email.
Ravenphyre will reply with your bound license file: rppam-license-bound.lic.

Via Your Account Representative¶

Contact your Ravenphyre account representative and provide the fingerprint file and license key. They will return a bound license file.

Step 3 — Transfer the Bound License to the RP-PAM Server¶

Transfer rppam-license-bound.lic back to the air-gapped RP-PAM server using your preferred secure transfer method.

Step 4 — Import the Bound License¶

Windows (PowerShell)¶

& "C:\Program Files\Ravenphyre\RP-PAM\rppam.exe" license import `
    --file "C:\path\to\rppam-license-bound.lic" `
    --offline

Linux (Bash)¶

sudo /opt/rppam/rppam license import \
    --file /path/to/rppam-license-bound.lic \
    --offline

Docker¶

# Copy the license into the container
docker cp rppam-license-bound.lic rppam:/tmp/rppam-license-bound.lic

# Import it
docker exec rppam /opt/rppam/rppam license import \
    --file /tmp/rppam-license-bound.lic \
    --offline

Expected output:

License imported successfully.
  Organisation: Contoso Ltd
  Tier: Enterprise
  Max Users: 500
  Expires: 2027-04-07
  Mode: Offline (bound to deployment fingerprint)
  Features: AD, Entra ID, SSH, Database, AI, Session Recording, HA

Step 5 — Enable Offline Mode in Configuration¶

After importing, set offlineMode to true in rppam.config so that RP-PAM does not attempt to contact the LVS.

Windows (PowerShell)¶

Open the configuration file:

notepad "C:\ProgramData\Ravenphyre\RP-PAM\config\rppam.config"

Linux (Bash)¶

sudo nano /etc/rppam/rppam.config

Find the license section and add or set offlineMode:

{
  "license": {
    "offlineMode": true
  }
}

Save the file and restart RP-PAM:

Windows (PowerShell)¶

Restart-Service -Name "RavenphyreRpPam"

Linux (Bash)¶

sudo systemctl restart rppam

Docker¶

docker restart rppam

Step 6 — Verify¶

Windows (PowerShell)¶

Invoke-RestMethod -Uri "https://localhost:7101/api/v1/license/status" `
    -Headers @{ Authorization = "Bearer $apiToken" } `
    -SkipCertificateCheck

Linux (Bash)¶

curl -sk "https://localhost:7101/api/v1/license/status" \
    -H "Authorization: Bearer $API_TOKEN" | python3 -m json.tool

Expected response:

{
    "organisation": "Contoso Ltd",
    "tier": "Enterprise",
    "maxUsers": 500,
    "expires": "2027-04-07T00:00:00Z",
    "status": "active",
    "mode": "offline",
    "boundToFingerprint": true,
    "lastCheckIn": null,
    "nextCheckIn": null,
    "features": ["ad", "entraid", "ssh", "database", "ai", "session-recording", "ha"]
}

Note that lastCheckIn and nextCheckIn are null in offline mode, which is expected.

Renewing an Offline License¶

Offline licenses must be renewed manually before they expire. The process is the same as initial activation:

Generate a new fingerprint (or re-use the existing one if the server hardware has not changed).
Submit it to Ravenphyre with your renewed license key.
Receive and import the new bound license.

Tip: Set a calendar reminder 30 days before your license expires. RP-PAM also logs a warning daily starting 30 days before expiry.

Switching from Offline to Online Mode¶

If your network policy changes and the server can reach the internet:

Set offlineMode to false in rppam.config.
Restart RP-PAM.
Import a standard (non-bound) license via the web portal or REST API.

RP-PAM will begin automatic LVS check-ins within 24 hours.

Troubleshooting¶

Symptom	Cause	Resolution
"Fingerprint mismatch" during import	License was bound to a different server	Generate a new fingerprint on this server and request a new bound license
"License expired"	Bound license has passed its expiry date	Contact `support@ravenphyre.net` to renew the license and repeat the binding process
RP-PAM tries to contact LVS despite offline mode	`offlineMode` not set to `true`	Verify `rppam.config` contains `"offlineMode": true` in the `license` section and restart
"Invalid license format"	File was corrupted during transfer	Re-transfer the `.lic` file using a method that preserves binary integrity (avoid copy-paste of the file contents)
Fingerprint changes after hardware replacement	Fingerprint is hardware-derived	Generate a new fingerprint and request a new bound license from Ravenphyre
Cannot submit fingerprint to Ravenphyre	Email delivery issues or no internet on any machine	Verify email can reach `support@ravenphyre.net`, or contact your Ravenphyre account representative through an alternative channel

Next Steps¶

LVS Relay Setup — An alternative to full offline mode that provides resilience without giving up automatic check-ins
Online License Activation — Switch to online activation if your network policy allows it
Connection String Encryption — Encrypt sensitive configuration values