In short, it needs to be downloaded somewhere that has internet access, then copied over to your airgapped machine. There's a few different ways that you could do that, but here's the one I recommend:
After downloading and unpacking the cryptography source tarball, run these commands on a computer that has internet access:
Then copy the modified version of cryptography3 over to the airgapped machine, and build it there. For more information on this, read the manual page on the cargo vendor command.
This is a pretty bad solution. The proper solution is for the cryptography3 people to do this themselves before releasing the package. That way, anyone building an internal mirror of pypi will also have all this Rust code mirrored there, instead of implicitly creating a dependency between pypi and crates.io
Cargo works offline only after it has cached the index and dependencies that are needed. The cryptography crate uses dependencies from crates.io, so they have to be downloaded first. The problem is similar to running pip install offline.
CARGO_NET_OFFLINE could work if you copy ~/.cargo directory from a machine that has already fetched required dependencies. There's cargo fetch that you can run in a directory with Cargo.toml and Cargo.lock for the Rust part of the cryptography crate.
There are already wheels for Linux, macOS and Windows: cryptography · PyPI AFAIK a python wheel contains native libraries in already compiled form. @tonymagalha do you think you know why pip doesn't pick up on this wheel?