Categories: Protection

Cloud FSB

Automatic build systems and continuous integration have become the standard for modern software development processes. Typically, the environments in which these processes happen are virtual to enable the developers to scale the resources involved up or down to meet their needs. Moving all of these build environments into the cloud, e.g., in Azure DevOps, seems the logical next step.

But one key component in the development process is protecting the software by encrypting the executable files of the application. This means that it has to happen after the software has been compiled, but before the actual installation package is put together.

One of the USPs of CodeMeter is its strong link between this encryption and the software license. A secret key, called the Product Item Secret Key (PISK), is stored in the license itself and is needed to decrypt your software. This means that the same PISK also has to be known during encryption. CodeMeter does so by calculating the PISK from your Firm Code, your chosen Product Code, and your secret master keys. These secret keys are hidden in your Firm Security Box or FSB, which is a CmDongle that Wibu-Systems has prepared for you with your very own Firm Code.

When you enter a Product Code, such as 201000, for the encryption process, the PISK is calculated from the combination of that code and your Firm Code, and the software can be encrypted. The same PISK is calculated and stored in licenses when you create a license with the same Product Code.

The end result is simple:

  • License is present and correct: The software can be decrypted.
  • License is missing: The software cannot be decrypted.

This shows why the FSB is essential for encrypting your software. But how can you plug a CmDongle into a virtual machine or Docker container in the cloud? Wibu-Systems introduced a solution to this conundrum in mid-2022 in the form of the Cloud FSB. It is hosted by Wibu-Systems and acts like a virtual dongle. The build system connects to it on port 80 or 443.

As with a regular CmDongle, nobody can retrieve the master key in a CmCloudContainer. A system that has the right to access the FSB can use the key, but cannot steal it.

For your build system to connect with the Cloud FSB, you need a credential file, which includes a strong password and takes over the job of establishing a secure and encrypted connection. In CodeMeter Runtime, a Cloud FSB would then appear as a regular local CmDongle. You can access the Cloud FSB through the CodeMeter Developer Portal and connect it directly to your local device or download the credential file. The latter option makes sense for your build system, although the file should definitely be kept safe and secure. You can find more about how to do this in the Azure DevOps topic “Use secure files”.

FSBs come in two types. The first is a standard FSB, which can create licenses and encrypt software with a licensed version of AxProtector. The second is an Encryption-Only FSB. As its name implies, it can encrypt software, but it cannot create licenses. It is recommended for automatic build systems, since the damage in the case of loss or theft would be less dramatic than with a full FSB. Should it be lost and somebody else starts to use the credential file illegally, it can simply be voided through the CodeMeter Developer Portal. The credential file would be recreated and be ready for rollout across your systems with little disruption.

 

KEYnote 44 – Edition Fall/Winter 2022

To top