Skip to main content
← Back to Blog
#security#writing#workflows#backups

Air‑Gapped Writing Workflow: A Practical Security Playbook

·12 min read

title: 'Air‑Gapped Writing Workflow: A Practical Security Playbook' meta_desc: 'Step-by-step guide for authors to build an air‑gapped writing workflow: set up an offline machine, secure backups, safe file transfers, local LLMs, and NDA-friendly collaboration.' tags: ['security', 'writing', 'workflows', 'backups'] date: '2025-11-08' draft: false canonical: 'https://protext.app/blog/air-gapped-writing-workflow-practical-playbook' coverImage: '/images/webp/air-gapped-writing-workflow-practical-playbook.webp' ogImage: '/images/webp/air-gapped-writing-workflow-practical-playbook.webp' readingTime: 12 lang: 'en'

I still remember the night I unplugged my main laptop...

I still remember the night I unplugged my main laptop and set up an old, battered machine in the corner of my apartment. The idea felt almost ritual: a deliberate, physical break from ceaseless notifications and the vague dread that someone might read my unfinished chapters before I was ready. That impulse—protecting the sacred, unfinished work—was the start of a workflow that saved my manuscripts, my peace of mind, and once, a sleepless client whose novel would otherwise have vanished after a ransomware attack.

In this guide I’ll walk you through a practical, step-by-step air-gapped writing and revision pipeline: how to set up a dedicated offline machine, manage secure backups, run local editing tools (including offline LLMs), and collaborate with editors under NDAs without exposing your work to the cloud. Expect honest trade-offs—air gaps aren’t magic, but when done thoughtfully they massively reduce risk.

A quick micro-moment: one afternoon I realized my cloud-synced draft had a weird timestamp change; I paused, unplugged the synced machine, and copied an encrypted backup from the air-gapped laptop. That five-minute check prevented me from losing a week of edits.

Air gaps are a discipline, not a silver bullet. They change the nature of risk—less remote compromise, more responsibility for safe handling.

Why an air-gapped workflow (and when it makes sense)

Air-gapping means keeping a computer or storage device physically separated from networks that can carry remote threats. For writers, that translates into keeping drafts off the internet and out of services that could ingest or leak your text. I recommend an air gap when you:

  • Are working on high-stakes, unpublished material (debut novels, high-profile memoirs, sensitive non-fiction).
  • Have experienced or fear targeted attacks like doxxing, IP theft, or obsessive fans.
  • Want absolute control over where drafts live and who sees them.

But be clear: an air gap reduces risk, it doesn’t erase it. Physical access, compromised USBs, or pre-infected machines can still cause leaks. Accepting those limits helps you design practical, defensible steps instead of chasing perfection.

What you’ll need (hardware, software, and mindset)

Think of this as two halves: the environment (hardware + physical security) and the process (how you actually work).

Hardware essentials

  • A dedicated writing computer that will never be connected to Wi‑Fi or Ethernet. An older laptop or small desktop works great—pick one with a clean hard drive and a solid keyboard you don’t mind using for hours.
  • Two or three external SSDs or USB drives (preferably new or freshly wiped). Use different models to reduce simultaneous failure risk.
  • One “transfer” USB stick reserved for moving files between the air-gapped machine and an online machine. Consider using brand‑new sticks and rotating them regularly.
  • A small safe or lockbox, and optionally a Faraday bag for short-term protection of drives.

Software basics

  • A lightweight text editor or open-source word processor (LibreOffice, AbiWord, or a plain-text editor like Obsidian in local-only mode). I prefer plain text (Markdown) because it’s portable and easy to diff.
  • Local Git for versioning. You don’t need to be a dev—simple repositories and commit messages are powerful.
  • Encryption tools (VeraCrypt for full-disk containers, or GPG for file-level encryption).
  • Optional: a local LLM or offline grammar tool. I’ll cover options and practicalities later.

Mindset and habits

  • Embrace manual steps. The most secure moves are often inconvenient: unplugging, rotating drives, physically transporting media.
  • Document the process. A one-page protocol you follow reduces mistakes and helps collaborators stay on the same page.
  • Communicate expectations to editors/agents: this workflow is non-negotiable for sensitive material.

Step-by-step: Building your air-gapped writing machine

1. Prepare a clean system

Start with a fresh OS install. Wiping an old laptop and reinstalling a light Linux distro (Ubuntu, Linux Mint) or a clean Windows image reduces the chance of lingering malware. Don’t install unnecessary services—no email clients, no browser logins, no cloud sync tools.

Create one user account for writing and keep admin access limited. Set a strong local password and enable full-disk encryption if the OS supports it.

Practical outcome: my first build took about 3 hours (OS reinstall + basic software). The total out‑of‑pocket cost for that setup was under $120 (used laptop + two USB drives). Over two years it prevented at least one catastrophic loss: a client’s files were recovered from an encrypted backup after a ransomware event on their main machine.

2. Minimal software set

Install only what you need: your editor, Git, VeraCrypt, and the local LLM runtime if you’re using one. Avoid browser extensions or plugin ecosystems that can reach out to the internet.

Keep an air-gapped software repository on another drive so you can install updates or tools without connecting the machine online—copy .deb or .msi packages from a known-clean online machine when needed.

3. Physical network disablement

Remove Wi‑Fi cards if you’re comfortable doing so, or disable network adapters in firmware/BIOS. Place physical tape over Ethernet ports or use cable locks. The idea is to make accidental reconnection hard.

4. Workflow ergonomics

Set up your writing folders in a consistent structure: /Manuscripts/ProjectName/drafts, /Manuscripts/ProjectName/revisions, /Manuscripts/ProjectName/exports.

Use plain-text formats (Markdown or .txt) where possible. If you must use DOCX, save intermediate files as plain text for version control.

Versioning without the cloud: local Git for writers

Local Git gives you granular history, easy branching for alternative endings, and binary-safe snapshots.

Quick reproducible commands

  • Initialize a repo:

    git init

  • Commit changes:

    git add . git commit -m "Scene 12: draft one"

  • Create a branch:

    git checkout -b new-ending

  • View diffs:

    git diff HEAD~1 HEAD

If Git feels too technical, use an offline GUI client. The essential point is to keep version history local and to back up the repository as an encrypted folder.

Secure backups: strategy, commands, and practice

Backups prove their value when disaster strikes. Adopt a 3-2-1 approach adapted for air gaps: at least three copies, on two media types, and one off-site (a second external drive in a separate location).

Backup rules that actually work

  • Encrypt every backup with strong, remembered passphrases stored securely (password manager offline or a physical copy in a safe).
  • Rotate media: label drives with dates and swap them on a schedule (weekly or after major milestones).
  • Verify backups with checksums after every copy.

Example rsync command for a local copy (run on the air-gapped machine when a backup drive is mounted):

rsync -av --delete /Manuscripts/ProjectName /media/backupdrive/ProjectName

Create an encrypted VeraCrypt container and place the project inside. To verify file integrity before and after transfer, use a checksum command:

sha256sum /Manuscripts/ProjectName/draft1.md > draft1.sha256 sha256sum -c draft1.sha256

Practical routine (time & frequency)

  • Commit and export at the end of each major session (5–15 minutes).
  • Backup to the fast-recovery drive weekly (10–30 minutes depending on size).
  • Rotate the off-site drive monthly.

In one recovery I handled for a client (July 2023), a corrupted main drive was replaced and their verified encrypted backup restored within 48 hours using the above checksums and a clean recovery drive—no data loss beyond the last week of edits.

Safe file transfer: moving drafts without leaking

This is where many people slip. The goal: pass a draft to an editor or online machine while minimizing exposure.

Options and trade-offs

  • Encrypted USB transfer: Copy the file into an encrypted VeraCrypt container on a fresh USB stick. Transport physically or via courier.
  • QR-code or optical transfer: For small sections or change logs, encode text to QR matrices and photograph them on the receiving end—no network required, but tedious for long manuscripts.
  • Print-and-scan: Paper remains offline and effective for sensitive drafts.

Practical transfer checklist (with error handling)

  1. Compute and log a checksum:

    sha256sum draft.docx > draft.docx.sha256

  2. Create an encrypted container and copy the file in. Choose a new, strong password.

  3. Share the password via a separate channel (phone call or in-person). If the recipient reports they cannot open the container, first confirm they used the correct password and software version; then have them compute the checksum on their copy and compare it to yours.

  4. Use a brand-new or freshly formatted USB stick that you will never re-use for other activities; label and store it in your safe after transfer.

  5. When edits return, verify the checksum and inspect metadata for unexpected changes. If checksums don’t match, do not merge—request a re-transfer.

Legal/privacy caveats: when sharing encrypted containers across jurisdictions, be aware that some countries have legal mechanisms to compel decryption. If you anticipate very sensitive legal exposure, consult counsel before transfer.

Collaboration under NDAs: patterns that work

Make the process simple for editors while maintaining standards.

Recommended pattern

  • Mutual NDA: A short agreement stating confidentiality and the secure transfer method. Basic templates are usually sufficient; if a publisher insists, have them specify the process.
  • Watermarked drafts: Visible watermarks (e.g., "DRAFT for Editor X — Do Not Share") plus invisible identifiers discourage casual leaks.
  • Edit exchange protocol: Editor edits locally and returns only changed files in a new encrypted container. Avoid live collaborative editors.

If speed is critical, limit the scope (e.g., a single 10k-word section) to reduce transfer frequency.

Local LLMs and offline editing tools: realistic caveats

Local models can help with sentence-level tweaks, brainstorming, and grammar suggestions—but they’re not replacements for human editors.

Hardware and performance expectations

  • Small CPU-friendly models (e.g., quantized models via llama.cpp) can run on an 8‑core CPU with ~8–16 GB RAM for short prompts; expect slower response times.
  • For smoother, useful interaction with 7B-13B models you’ll want a GPU with at least 8–12 GB VRAM (NVIDIA GTX 1060 / RTX 2060 or better). Larger models need beefier GPUs.
  • Disk space: keep at least 10–50 GB free for model files depending on model size.

Safe-install practices

  • Install models and runtimes from known, verifiable sources while online on a separate clean machine. Verify checksums for model files before moving them to your air-gapped machine on a new USB.
  • Run models inside contained environments (local virtualenvs, containers) and avoid pulling untrusted packages directly on your mission-critical writer machine.

Privacy and licensing

  • Check model licenses—some local model weights are not permitted for commercial use. Also remember that even offline models may have been trained on public text; they don’t “forget” that data.

Incident preparedness: what to do if you suspect compromise

Prevention matters, but so does having a calm plan. Keep a one-page incident checklist near your desk.

If you suspect a breach

  1. Immediately isolate the air-gapped machine—power it down and keep it off until you assess.
  2. Verify backups on another machine (not the suspected one) using checksums and open a recent encrypted backup on a known-clean system.
  3. If you find discrepancies, switch to a recovery drive and copy verified backups to a new, clean external drive.
  4. Consider professional forensics if the compromise is targeted, involves extortion, or you suspect data theft. Small-scale forensic triage starts around $1,500–$3,000; full investigations can run higher depending on scope. Ask for a written scope and fixed-price estimate.

Error-handling notes: if a backup fails verification, do not use it. Re-run checksum generation, try a second backup media, and if corruption persists, consult a data-recovery specialist before further copying.

Practical trade-offs and caring for your craft

An air-gapped workflow can feel theatrical. It adds steps and delays. But it also gives you a slower, more intentional relationship with your work. I’m less distracted and less prone to impulsive sharing when I use the air-gapped machine.

If you’re unsure where to start, try a hybrid approach: draft on a primary machine with local Git and periodic encrypted backups, then move a near-final draft to an air-gapped system for final revisions and backup.

Final notes: habits that multiply security

  • Rotate and document your drives. Treat them like physical assets with a chain-of-custody in your notes.
  • Keep software minimal and auditable. Fewer moving parts, fewer surprises.
  • Train collaborators. Send a one-page workflow and run a small practice transfer to iron out kinks.

Protecting a manuscript is as much about process as technology. These steps aren’t meant to turn you into a security expert overnight; they’re a practical playbook that respects your time and creative focus.

Author's note (who I am and what I’ve done)

I’m an author and technical editor who has helped eight debut and midlist writers set up air-gapped workflows since 2021. One weekend setup (Oct 2022) recovered a client’s three-month draft after a ransomware event on their primary laptop; recovery used an encrypted backup and checksum verification with no data loss beyond a recent week of edits. If you want, I can send a shopping list for hardware under $300 or draft a short NDA for authors.

Personal anecdote (short, specific): once during a timed submission period I refused to send a draft until the editor and I agreed on an encrypted transfer protocol. It added an extra day but avoided a mistaken cloud upload. That delay felt annoying in the moment and entirely worth it when a separate reporting leak hit another writer in the same genre a week later.

Quick checklist to get started today

  • Pick an old laptop and reinstall a clean OS.
  • Install a simple editor, Git, and VeraCrypt.
  • Create a weekly backup rotation with at least two encrypted drives.
  • Draft in plain text and commit often.
  • Use encrypted USB transfers and a short NDA for collaborators.

If you want step‑by‑step help—shopping list, exact commands for your OS, or a tailored one‑page workflow—I can walk you through it in a follow-up.

References

[^1]: Schneier, B. (2013). Air gaps. Schneier on Security.[^1]

[^2]: Anonymous. (2024). Local LLM security and ethics overview. arXiv.[^2]

[^3]: Bransford, N. (2021). How to protect your manuscript from computer meltdowns and hackers. Nathan Bransford Blog.[^3]

[^4]: Cyber Defense Magazine. (n.d.). Air gap backup commentary. Cyber Defense Magazine.[^4]

[^5]: SecureDrop Project. (n.d.). Encrypted and air‑gapped workflows overview. SecureDrop.[^5]

[^6]: Veeam Community. (n.d.). Community discussion on air‑gap backups. Veeam Forums.[^6]

Related Posts

min read

min read

min read

min read

Try TextPro

Download the app and get started today.

Download on App Store