Categories: Security

Licensing and Protecting Industrial Edge Devices

Does the advent of Software as a Service (SaaS) mean the end of software licensing as we know it? Not all solutions are suitable for SaaS, which has only served to make containerization in edge computing even more complex.

What is Edge Computing?

The era of data being processed and software run exclusively on local hardware is over. The rise of SaaS has changed how companies work. Predictive maintenance and CRM systems that used to be hosted on local servers are now typically kept in the cloud and accessed by users over the Internet.

Cloud landscapes do not come without their own challenges, starting with questions of bandwidth or availability and going to issues of latency or data security. The exponential growth of IoT devices has exacerbated the data deluge, which means that a balance needs to be found between cloud and on-premise solutions. This is where edge computing comes in.

Edge computing happens at the threshold between both worlds. Instead of the cloud, applications run on the end users’ devices, and only a minimal amount of data is sent to the cloud. By keeping a part of data processing on the ground, edge computing reduces latency and allows data to be processed virtually in real time. Sensitive data or algorithms can also stay on the user’s hopefully secure premises, which improves data security and helps with data protection regulations.

In essence, edge computing is the software provisioning option that enables companies to benefit from the advantages of the cloud without accepting all of its drawbacks.

Challenges for software licensing

For software developers, keeping control over how their products are distributed is paramount, because illicit use can threaten entire business models. Technical evolution and the constant and growing threat of software piracy means that software publishers need to adjust how they protect and license their software all the time.

The same is true in edge computing. The term does not really say anything about which hardware or system architecture is being used, even if the systems in question run in a set of containers in the large majority of cases. So-called Containerization has made it much easier to keep tabs on the applications running in the containers.

But there are challenges: Edge computing is used in a diverse range of contexts. Not all of the systems in question can be kept online at all times. There needs to be a way to make sure that they can run without jeopardizing the license terms even if the system is disconnected from the Internet.

Product managers, software architects, and developers for all types of applications running on edge devices need to get together and consider how they can protect their intellectual property and their license terms in actual practice.

There is another option: Separate protection and licensing. An application could be protected in the IP Protection mode of AxProtector from CodeMeter Protection Suite. For the actual license checks, some tolerance can be added in the application, that is the application can be allowed to run for a while even if the right license cannot be found. Naturally, these decisions need to be taken at an early point in planning and development.


The great advantage of CodeMeter by Wibu-Systems is that the access and cryptographic operations with the licenses are identical for any type of CmContainer. This means that the way of rolling out licenses can be adjusted perfectly to match each individual situation. When initially encrypting and protecting an application, it does not matter at all how or where the license is provided to the end user.


If technically feasible, a CmDongle can be used to benefit from its dedicated hardware with a built-in crypto chip. Since a CmDongle can be connected with only a single CodeMeter component, a setup with multiple containers usually runs a container with a CodeMeter license server that links up with the CmDongle. From there, the licenses are made available to all the other containers.


The purely software-based CmActLicenses are another choice that binds the licenses to a fingerprint of the system’s properties. For meaningful security, the license needs to be bound to a secure anchor. This is usually done by selecting a whole set of system traits that are then combined by the patented SmartBind technology to create a unique, but also sufficiently tolerant fingerprint.

Enforcing systemspecific licensing can be harder in a container environment, because containers were designed to make everything as abstract as possible and limit data flows to the host or other containers to the desired minimum. A side effect is that the usual set of system properties can normally not be read out, and the license data cannot be kept persistent over time.

For Docker environments in particular, Wibu-Systems has already tweaked its binding technology for CmActLicenses. The necessary data is stored in a so-called named volume and bound to that volume at the same time. This makes it impossible to simply copy or move licenses around. However, this also needs more rights for the container accessing the license. For CmActLicenses to be installed in a container, the license provider needs to specifically activate this option.


Another highly secure variant is provided by CmCloudContainer, a cloud-based licensing system. The keys on the license never leave the private cloud operated by Wibu-Systems and all cryptographic operations are also executed there. Of course, a CmCloudContainer needs an Internet connection, which has to be permanent and stable for the licensing system to work as it is supposed to. If that is not guaranteed, it helps to separate IP protection from licensing and add some tolerance for the latter.

Taking a detour

On top of the options explained here, there is another way: using CodeMeter licenses indirectly. The edge device or the container with the CodeMeter license server can connect to any CodeMeter license server on the network. It is there that licenses could be provided (using any type: CmDongle, CmActLicense, or CmCloudContainer).

A final option is providing a CmDongle indirectly via an USB-over-Ethernet setup. This is favored by many administrators for its easy management and ability to keep CmDongles and the dongles of other makers in a single physical place.

The right stuff

It is simple: Different use cases need different solutions. When picking the right option, it helps to ask an expert and carefully weigh up one’s choices. There is no one final answer to everything that could determine which solution is best for any scenario. But the versatility of CodeMeter ensures real compatibility with a vast range of use cases, making it the ideal solution for software makers who want to master the complexity of licensing in edge computing environments.


KEYnote 46 – Edition Fall/Winter 2023

To top