air-gapped · open source Verify ↗ Request access →

The core comprehension

How the air gap works

Your phone connects only to the GuardTalk gateway. The gateway is the single bridge between you and the internet — and everything crossing it is hardened and routed through Tor.

The data flow

What leaves your phone, and where it goes.

The phone holds no modem connection to the internet. Its only link is Wi-Fi to a gateway you own. Everything bound for the outside world is wrapped in WireGuard and routed over Tor before it leaves the gateway.

The air gap Your phone connects only to the GuardTalk gateway. A probe from the internet reaches the gateway boundary and is dropped. Nothing reaches the phone except through the gateway, which routes traffic over WireGuard and Tor. phone modem off Wi-Fi only Gateway the only bridge you hold this ‖ THE GAP ‖ WireGuard → Tor internet probe incoming attempts stop at the gateway — they never reach the phone.
Phone → ‖ the gap ‖ → Gateway → WireGuard → Tor → Destination. The phone never touches the internet directly.

From the phone

Only Wi-Fi traffic to the gateway leaves the device — no modem, no cellular data, no direct route to the internet. The gateway is the sole destination it can reach.

Across the gateway

The gateway inspects, filters, and wraps outbound traffic in WireGuard, then routes it over Tor. Unsolicited inbound probes stop at the boundary and never reach the phone.

What we can't see

The keys stay with you; we operate no server that can read your messages. What the gateway protects, and where that protection ends, is set out in the threat model.

The user journey

From kit to conversation, in six steps.

Honest about effort and time. None of this is instant, and none of it asks you to take a claim on faith — each step has a verification you can perform yourself.

Receive your kit.

A gateway appliance and a separate biometric key arrive — shipped to a destination, not an identity. The two parts travel apart so neither alone unlocks anything. Inspect the packaging before you power anything on.

Set up the biometric key.

You enrol the hardware key that unlocks the gateway's full-disk encryption (LUKS2 / argon2id / AES-256-XTS). Set aside roughly 10–15 min. You also set the duress credential here — its limits are stated in the threat model.

First boot of GuardTalkOS.

Flash the 0.1.0 build to a supported Pixel 8 / Pixel 9 and confirm verified boot. First boot takes a few minutes while the system initialises; read the release notes before you rely on it.

Connect your phone to the gateway.

The phone joins the gateway over Wi-Fi — the only network it can reach. There is no cellular setup, no SIM, no fallback path to the internet. Pairing takes a few minutes once both devices are unlocked.

Communicate.

Messages, calls, and files move with quantum-resistant end-to-end encryption (QPC) and no phone number attached. Everything outbound crosses the gateway and is routed over Tor. What metadata exists, and what does not, is stated plainly in the threat model.

Manage & monitor.

Review the gateway's status, blocked probes, and key-rotation log from the device you hold. For a fleet, an admin manages devices — not message contents. The Tor admin brain ties this together.

Understand the gap, then read its limits.

The air gap is one part of a system. See how the five components fit together, and where each protection ends.

Read the threat model →See the whole system →