DeployLX provides a secure means of storing information on the client machine to track changes in the license state between process exeuctions. This topic covers security requirements and limitations of the secure storage.
When a license is first validated DeployLX creates a hidden data store on the client somewhere in the machine registry or file system. The location and availability of this store is masked from the user so that they cannot locate or modify the store.
When a limit's state changes on the client machine it can store that state locally on the client and read it back the next time the license is validated.
This enable limits like the Time limit to track when the license was first validated and keep track of how much time remains. The secure storage is not removed when the software is removed, thus preventing a user from resetting the license by uninstalling the software. A complete machine reformat is needed to remove the secure store from the user's machine.
It's difficult to quantify security because it relies on the availability and security of the operating system and user accounts running the software. The fact that the information is stored on the client machine means it cannot be protected by a secure license key. Instead DeployLX uses features available on the OS and undocumented hidden techniques to disguise the location of the secure storage. However a hacker may be able to observe certain behaviors of applications protected by DeployLX and discover the location of the secure storage.
The primary risk in the discovery of the secure storage is the deletion of all the data in the secure storage effectively resetting the state of any limits that use it. DeployLX attempts to protect the storage and detect removal. Any licenses that depend on the continued security of the limit state (such as a Trial version with a Time limit) should enforce additional limitations, nag screens or other incentives that diminish the value of the software until the user obtains a license that does not depend on secure storage.
State that is stored in the .LIC file itself - such as expiration dates, use allowances, etc. - are not effected by this security risk and cannot be modified by a hacker. Only information that changes directly on the client without contacting a license server is exposed to this risk.
When secure storage is required the application must have have read and write access to the HKCU registry key. When RequireAdminOnFirstRun is true, then DeployLX will automatically set the correct permissions.