Air gaped mode?

[gmaxwell]

I don't know about other folks, but I generally keep my discreet relationships with the Director of the CIA confined to an air-gapped host.

For Pond the only way to do this currently is to put ascii armored PGP inside pond messages. This has a couple downsides: it's a pain to use (e.g. requires unusual procedures from your pond counter parties), it roughly halves the channel capacity, and it blows forward secrecy if you leave the storage you used to shuttle information across the airgap where it can be discovered; if you're at all careless with the pgp it can also break deniability.

Of course, one can compromise the airgap and make only the tor connection to the pond server work; but it's somewhat hard to be sure you got this right.

It would be nice if I could run a headless pond polling daemon that polled for data and dropped it into a directory that I could shuttle across the airgap UUCP style-- but which didn't have access to the ephemeral keys needed to decrypt messages. This might also improve traffic analysis immunity, since the headless polling might have a reduced uptime signature than a GUI-enabled client with an enduser sitting at it.

[burdges]

Axolotl needs two-way communication, so you'd need to send messages from the air gapped machine too, and transfer them over.. or finagle some mechanism for transfering 32 byte keys.