Air-gapped systems present unique challenges for software licensing. By definition, these machines cannot communicate with external servers, making traditional online license validation impossible. In this guide, we’ll explore the challenges and solutions for licensing software in disconnected environments.
What is an Air-Gapped System?
An air-gapped system is a computer or network that is physically isolated from unsecured networks, including the internet. These systems are commonly found in:
- Industrial control systems (SCADA, PLCs, DCS)
- Military and government classified networks
- Medical device networks
- Financial trading systems
- Critical infrastructure
The air gap provides security by ensuring that attackers cannot remotely access the system. However, it also means that any software running on these systems must operate without network connectivity.
Challenges of Air-Gap Licensing
1. No Online Validation
Traditional software licensing relies on calling home to a license server. In an air-gapped environment, this is impossible. Your licensing system must be able to validate licenses using only local data.
2. Time-Based License Expiration
How do you enforce license expiration when you can’t trust the system clock? Users could simply set the clock back to extend their license indefinitely.
3. Hardware Changes
Machines in industrial environments may have components replaced during maintenance. Your licensing system needs to handle legitimate hardware changes without invalidating licenses.
4. Activation and Updates
Getting licenses onto air-gapped machines requires physical media transfer (the “sneakernet”). This process must be secure and auditable.
Solutions and Best Practices
Cryptographic License Validation
The foundation of air-gap licensing is cryptographic signatures. Instead of calling a server to verify a license, you embed your public key in the application and verify the license signature locally.
// Generate a license (on the server)
let license = LicenseBuilder::new()
.licensee("Acme Corp")
.product("IndustrialSuite Pro")
.expires_at(Utc::now() + Duration::days(365))
.add_feature("advanced-analytics")
.sign(&private_key)?;
// Validate the license (on the air-gapped client)
let verifier = LicenseVerifier::new(&public_key)?;
let claims = verifier.verify(&license)?;
Time-Tampering Protection
To prevent clock manipulation, implement monotonic time tracking:
- Record the highest timestamp seen - Store this in an encrypted file
- Detect clock rollback - If current time is before recorded time, the clock was manipulated
- Use secure state storage - Encrypt the time state with a machine-specific key
let verifier = LicenseVerifier::new(&public_key)?
.with_time_tampering_protection()
.with_state_file("/var/lib/myapp/license.state")?;
Hardware Binding with Tolerance
Rather than locking a license to exact hardware identifiers, use a weighted scoring system:
| Component | Weight |
|---|---|
| CPU ID | 30 |
| Motherboard Serial | 25 |
| Disk Serial | 20 |
| MAC Address | 15 |
| Hostname | 10 |
A machine passes validation if the score exceeds a threshold (e.g., 70). This allows for legitimate hardware changes while preventing wholesale license transfer.
Sneakernet Activation Workflow
For completely offline activation:
-
Generate activation request on the air-gapped machine
licenz activate --request > activation-request.json -
Transfer request to an internet-connected machine
-
Process activation on the license server
licenz-server activate --request activation-request.json > activation-response.json -
Transfer response back to the air-gapped machine
-
Complete activation
licenz activate --response activation-response.json
Security Considerations
Key Management
- Store your private signing key in an HSM or secure key vault
- Rotate keys periodically (annually at minimum)
- Plan for key revocation scenarios
License File Protection
- Encrypt sensitive license data with a machine-derived key
- Use secure storage locations with appropriate permissions
- Consider integrity checking for license files
Audit Logging
Even in air-gapped environments, maintain audit logs:
- License validation attempts (success and failure)
- Hardware binding checks
- Time-tampering detection events
These logs can be periodically exported during maintenance windows.
Common Pitfalls to Avoid
- Storing secrets in the binary - Assume your binary will be reverse-engineered
- Using system time for expiration - Always implement anti-tampering
- Exact hardware matching - Industrial machines have parts replaced
- No grace period - Allow time for license renewal
- Complex activation - Make the sneakernet process as simple as possible
Conclusion
Air-gap licensing requires careful design, but it’s entirely achievable with modern cryptographic techniques. The key principles are:
- Cryptographic signatures for offline validation
- Monotonic time tracking for expiration enforcement
- Weighted hardware binding for anti-piracy with tolerance
- Simple sneakernet workflows for activation
Licenz implements all of these patterns out of the box. Check out our documentation to learn more, or contact us if you have questions about your specific use case.
Stay up to date
Get the latest news about Licenz, including product updates, security best practices, and licensing industry insights.
Related Articles
Enterprise Software Licensing Security: Best Practices for 2025
Security best practices for software vendors implementing licensing systems. From key management to threat modeling, learn how to protect your software and your customers.
Marcus Johnson The Complete Guide to Air-Gap Software Licensing
A comprehensive guide to implementing software licensing in disconnected, air-gapped environments. Learn the challenges, solutions, and best practices.
Sarah Mitchell 
Introducing Licenz: Enterprise Airgap Security Without the Enterprise Tax
Today we're launching Licenz, a modern software licensing solution that brings enterprise-grade security to air-gapped environments without the complexity and cost of legacy systems.
Alex Chen