Skip to content
VaultTerm
Browse docs

Get Started

Credential Vault

Terminal & SSH

Teams & Organizations

Browser Extension

Privacy-First AI

Self-Hosting

Administration

Configuration Reference

Security & Architecture

API & Integrations

Troubleshooting & FAQ

privacy-first-ai

Self-hosted AI setup

Point AI at your own network: set AI_PROVIDER=ollama, OLLAMA_URL and AI_MODEL, and leave ANTHROPIC_API_KEY unset for a fully local install with no cloud path.

Updated Jun 23, 2026

To run VaultTerm’s AI entirely on your own network, point it at an Ollama host on your LAN and leave the cloud key unset. With no cloud key configured, there is no cloud path at all — prompts and terminal output stay on the network.

Prerequisites

  • An Ollama host reachable from the VaultTerm server, with the model you want already pulled.
  • Network reachability from the server to the Ollama host on your LAN.

Configure a fully local install

  1. Set AI_PROVIDER=ollama to select the self-hosted provider.
  2. Set OLLAMA_URL to your Ollama host’s URL.
  3. Set AI_MODEL to the model name Ollama should use.
  4. Leave ANTHROPIC_API_KEY unset. With no cloud key, the cloud (Claude) path does not exist — the install is fully local.
# Self-hosted AI on your LAN, no cloud path
AI_PROVIDER=ollama
OLLAMA_URL=http://your-host.example.com:11434
AI_MODEL=llama3
# ANTHROPIC_API_KEY intentionally unset -> no cloud egress path

Replace your-host.example.com:11434 with your actual Ollama host and llama3 with the model you pulled.

What this gives you

  • Terminal output stays on the LAN. On-prem, with the cloud key unset, the model that sees your prompts and any terminal output is the one on your own network. Nothing is sent to a cloud provider.
  • No cloud egress to opt into. Because there is no cloud key, the per-organization cloud opt-in is moot — there is no destination to send a redacted payload to. See AI privacy model for how the gate behaves when a cloud key is present.

Verifying it is local

After setting the variables and restarting the server, exercise an AI feature (for example the command copilot) and confirm the response comes back. Because ANTHROPIC_API_KEY is unset, there is no code path to a cloud provider, so any assistance you receive was produced by the local Ollama model.

Adding a cloud fallback later

If you later decide to allow a redacted cloud fallback, set ANTHROPIC_API_KEY and CLOUD_AI_MODEL, and opt the relevant organization in. Even then, the cloud is reached only behind the redaction gate and the per-organization opt-in — see AI privacy model. Until you do that, the install stays fully local.

Where to go next

All docs · Ask a question