Skip to main content

Air-Gapped Licensing

Introduction

Many customers want to monitor their video feeds in a completely secure environment where communication with the Internet is not allowed. This is common especially in physical security or other business critical scenarios where digital security is critical. To support this need, EyesOnIt offers an alternate licensing model with downloadable license files and local license validation. This solution enables air-gapped operations for ultimate security.

To use EyesOnIt with air-gapped licensing, you'll run a very small license application on a computer (license server) in your network that EyesOnIt can reach. The license application needs to be running and accessible whenever EyesOnIt is running. You'll register license files with the license application. EyesOnIt will periodically connect to the license application to validate its license. All of this happens without any communication outside of your network.

High Level Steps

Setting up air-gapped operations and licensing requires the following steps:

  1. Generate a machine ID for your license server
  2. Receive and install license files from EyesOnIt
  3. Run Keygen Relay with your license information

The details of these steps are outlined below.

1. Generate a Machine ID for Your License Server

You will need to designate an internal computer as your license server. This can be the same computer that EyesOnIt runs on, or any other computer that EyesOnIt can access on your network.

You will generate the machine ID for your license server using a Go package from Keygen. Perform these steps on your designated license server:

Install Go

sudo apt install golang-go

Install the Go machineid package.

From a command line run:

    go install github.com/keygen-sh/machineid/cmd/machineid@latest

Run machineid to generate the machine ID for the EyesOnIt host

By default, Go packages are installed into ~/go/bin

cd ~/go/bin
./machineid --appid keygen-relay

machineid will provide a machine ID like this:

1c1c82a2bcc0de578aa7a9faeecd9c2da69b8ef9f40d00aa2d7562baf1b4e12d

Send the machine ID

Email this machine ID to support@eyesonit.us

2. Receive and Install License Files from EyesOnIt

EyesOnIt will build a node-locked version of Keygen Relay using your license key and your machine ID following the steps here:

https://github.com/keygen-sh/keygen-relay#node-locking

EyesOnIt will securely transmit the following to you:

  • node-locked version of Keygen Relay for your license server, with a SHA256 checksum so you can verify the authenticity of the executable
  • a machine license file specific to your license server. This license file allows you to run your node-locked version of Keygen Relay only on your license server.
  • an EyesOnIt license file for running EyesOnIt

Once received, copy the node-locked version of Keygen Relay to your license server. Copy the machine license file and the EyesOnIt license file to the license server or to a network location that the license server can access.

3. Run Keygen Relay With your License Information

Once you have your node-locked version of Keygen Relay installed on your license server and your machine license file is also available to Keygen Relay, run Relay. To start Relay, make sure you are logged in to an account with proper permissions.

Note: for this documentation, we are assuming that your executable is simply named “relay” on Linux or “relay.exe” on Windows. We are also assuming that the machine license file is named machine.lic. You can change the name of the Relay executable and the machine license file to suit your needs.

To start the Relay server, run this command from a command line:

./relay serve --port 6349 --node-locked-machine-file-path <path to machine file> --node-locked-license-key '73F7DA-19BCBF-30B806-2F4C7D-3C2ACE-V3' &

Ex: ./relay serve --port 6349 --node-locked-machine-file-path ~/eyesonit/machine.lic --node-locked-license-key '73F7DA-19BCBF-30B806-2F4C7D-3C2ACE-V3' &

Note: EyesOnIt requires Relay to run on port 6349

Adding a License to Relay

With your EyesOnIt license file accessible to the Relay application, you can add that license to Relay.

Note: for this documentation we will assume that your license file is named “license.lic”.

To add a license to your Relay server, you will need the following:

  • Your license file – provided by EyesOnIt
  • Your license key – available on your account page
  • The EyesOnIt public encryption key. The value of this key is: 2bb09637006cc262aa2fddf3e0e646477a4c87164ab693a86398637d80f083ec

To add a license to Relay, run this command from a command line:

./relay add --file <path to license file> --public-key 2bb09637006cc262aa2fddf3e0e646477a4c87164ab693a86398637d80f083ec --key <your license key>

Ex: ./relay add --file ~/eyesonit/license.lic --public-key 2bb09637006cc262aa2fddf3e0e646477a4c87164ab693a86398637d80f083ec --key '73F7DA-19BCBF-30B806-2F4C7D-3C2ACE-V3'

If this command succeeds, you will see "license added successfully"

Other Relay server commands are available from the Keygen Relay web page here.

EyesOnIt Configuration

Running EyesOnIt with air-gapped licensing requires a small amount of additional configuration. You will need to update the eyesonit_config.yml file before running EyesOnIt.

The eyesonit_config.yml file needs to be placed on your host server. You will map a Docker volume to the location of the file, so make sure to put the file in a location where you can map a volume.

Create eyesonit_config.yml with these two lines:

run_air_gapped: True
air_gapped_license_host: <IP address of server where Relay is running>

To use air-gapped licensing set run_air_gapped to True. This value is case-sensitive, so please make sure to follow the capitalization in the example.

You also need to set air_gapped_license_host to the IP address of the server where Relay is running. Note that for the Docker version of EyesOnIt, this address needs to be the IP of the host or another server. If Relay is running on the Docker host (the EyesOnIt container is running on the server that is also running Relay), you won't be able to access Relay through "localhost" since localhost refers to the container and not the host. In that case, try these options:

  • the IP address of the host
  • if your container is unable to resolve IP addresses due to network limitations:
    • on Linux or non-Docker Desktop environments: 127.17.0.1
    • on Docker Desktop environments: host.docker.internal

When you run the Docker version of EyesOnIt, your docker run command should look something like this:

docker run 
--name "<container friendly name>"
-d
-p 8000:8000
--gpus all
--restart unless-stopped
-e EOI_LICENSE_KEY=<EyesOnIt license key>
-e EOI_AUTHORIZATION_TOKEN=<EyesOnIt auth token>
-v <host path>:/home/eyesonit_user/input
-v eyesonit_output:/home/eyesonit_user/output
"<eyesonit docker image name>"

where:

container friendly name - an optional friendly name for your container for your convenience

EyesOnIt auth token - your EyesOnIt auth token which you can see on your account page

-v <host path>:/home/eyesonit_user/input – maps that path <host path> on the Docker host to the path /home/eyesonit_user/input within the EyesOnIt Docker container. Replace <host path> with the location on your host where you want to store EyesOnIt input files. You will need to store eyesonit_config.yml at <host path>/config/eyesonit_config.yml. So if you use this in your Docker run command:

-v /home/eyesonit/input:/home/eyesonit_user/input

You should place eyesonit_config.yml on the host at

/home/eyesonit/input/config/eyesonit_config.yml

-v eyesonit_output:/home/eyesonit_user/output – an optional named Docker volume which allows you to see output from EyesOnIt in a Docker named volume. Use “docker inspect <container friendly name> | grep volume” to find the location of this volume on your host.

eyesonit docker image name – the name of the EyesOnIt Docker image to run (something like eyesonit/eyesonit_v3.2:latest).

With this configuration and run command, EyesOnIt will load eyesonit_config.yml from the host and will use the Relay server for air-gapped licensing.

License Verification

To verify that the license is configured properly, open a browser and navigate to http://<EyesOnIt Host IP>:8080/dashboard. You should see:

Server Status:Connected

License Status:Valid

If you do not see this, please check your configuration, or contact us at support@eyesonit.us for help.

Conclusion

As a final comment, please note that SMS alerts will be disabled when air-gapped licensing is active, because SMS alerts require an Internal connection. RTSP and VMS notifications can still be used, but customers should take care to configure EyesOnIt to use internal URLs for these notifications to ensure that EyesOnIt does not try to connect to the Internet.