Air-Gapped Licensing
Introduction
Many customers want to monitor their video feeds in a completely secure environment where communication with the Internet is not allowed. This is common especially in physical security or other business critical scenarios where digital security is critical. To support this need, EyesOnIt offers an alternate licensing model with downloadable license files and local license validation. This solution enables air-gapped operations for ultimate security.
To use EyesOnIt with air-gapped licensing, you'll run a very small license application on a computer (license server) in your network that EyesOnIt can reach. The license application needs to be running and accessible whenever EyesOnIt is running. You'll register license files with the license application. EyesOnIt will periodically connect to the license application to validate its license. All of this happens without any communication outside of your network.
High Level Steps
Setting up air-gapped operations and licensing requires the following steps:
- Generate a machine ID for your license server
- Receive and install license files from EyesOnIt
- Run Keygen Relay with your license information
The details of these steps are outlined below.
1. Generate a Machine ID for Your License Server
You will need to designate an internal computer as your license server. This can be the same computer that EyesOnIt runs on, or any other computer that EyesOnIt can access on your network.
You will generate the machine ID for your license server using a Go package from Keygen. Perform these steps on your designated license server:
Install Go
- Linux
- Windows
sudo apt install golang-go
Download and run the Windows installer from https://go.dev/dl/
Install the Go machineid package.
From a command line run:
go install github.com/keygen-sh/machineid/cmd/machineid@latest
Run machineid to generate the machine ID for the EyesOnIt host
- Linux
- Windows
By default, Go packages are installed into ~/go/bin
cd ~/go/bin
./machineid --appid keygen-relay
From a command line run:
machineid.exe --appid keygen-relay
machineid will provide a machine ID like this:
1c1c82a2bcc0de578aa7a9faeecd9c2da69b8ef9f40d00aa2d7562baf1b4e12d
Send the machine ID
Email this machine ID to support@eyesonit.us
2. Receive and Install License Files from EyesOnIt
EyesOnIt will build a node-locked version of Keygen Relay using your license key and your machine ID following the steps here:
https://github.com/keygen-sh/keygen-relay#node-locking
EyesOnIt will securely transmit the following to you:
- node-locked version of Keygen Relay for your license server, with a SHA256 checksum so you can verify the authenticity of the executable
- a machine license file specific to your license server. This license file allows you to run your node-locked version of Keygen Relay only on your license server.
- an EyesOnIt license file for running EyesOnIt
Once received, copy the node-locked version of Keygen Relay to your license server. Copy the machine license file and the EyesOnIt license file to the license server or to a network location that the license server can access.
3. Run Keygen Relay With your License Information
Once you have your node-locked version of Keygen Relay installed on your license server and your machine license file is also available to Keygen Relay, run Relay. To start Relay, make sure you are logged in to an account with proper permissions.
Note: for this documentation, we are assuming that your executable is simply named “relay” on Linux or “relay.exe” on Windows. We are also assuming that the machine license file is named machine.lic. You can change the name of the Relay executable and the machine license file to suit your needs.
To start the Relay server, run this command from a command line:
- Linux
- Windows
./relay serve --port 6349 --node-locked-machine-file-path <path to machine file> --node-locked-license-key '73F7DA-19BCBF-30B806-2F4C7D-3C2ACE-V3' &
Ex: ./relay serve --port 6349 --node-locked-machine-file-path ~/eyesonit/machine.lic --node-locked-license-key '73F7DA-19BCBF-30B806-2F4C7D-3C2ACE-V3' &
relay serve --port 6349 --node-locked-machine-file-path <path to machine file> --node-locked-license-key "73F7DA-19BCBF-30B806-2F4C7D-3C2ACE-V3"
Ex: relay serve --port 6349 --node-locked-machine-file-path %homepath%/eyesonit/machine_laptop.lic --node-locked-license-key "73F7DA-19BCBF-30B806-2F4C7D-3C2ACE-V3"
Note: EyesOnIt requires Relay to run on port 6349
Adding a License to Relay
With your EyesOnIt license file accessible to the Relay application, you can add that license to Relay.
Note: for this documentation we will assume that your license file is named “license.lic”.
To add a license to your Relay server, you will need the following:
- Your license file – provided by EyesOnIt
- Your license key – available on your account page
- The EyesOnIt public encryption key. The value of this key is: 2bb09637006cc262aa2fddf3e0e646477a4c87164ab693a86398637d80f083ec
To add a license to Relay, run this command from a command line:
- Linux
- Windows
./relay add --file <path to license file> --public-key 2bb09637006cc262aa2fddf3e0e646477a4c87164ab693a86398637d80f083ec --key <your license key>
Ex: ./relay add --file ~/eyesonit/license.lic --public-key 2bb09637006cc262aa2fddf3e0e646477a4c87164ab693a86398637d80f083ec --key '73F7DA-19BCBF-30B806-2F4C7D-3C2ACE-V3'
relay add --file <path to license file> --public-key 2bb09637006cc262aa2fddf3e0e646477a4c87164ab693a86398637d80f083ec --key <your license key>
Ex: relay add --file %homepath%/eyesonit/license.lic --public-key 2bb09637006cc262aa2fddf3e0e646477a4c87164ab693a86398637d80f083ec --key '73F7DA-19BCBF-30B806-2F4C7D-3C2ACE-V3'
If this command succeeds, you will see "license added successfully"
Other Relay server commands are available from the Keygen Relay web page here.
EyesOnIt Configuration
Running EyesOnIt with air-gapped licensing requires a small amount of additional configuration. You will need to update the eyesonit_config.yml file before running EyesOnIt.
- Docker
- Windows
The eyesonit_config.yml file needs to be placed on your host server. You will map a Docker volume to the location of the file, so make sure to put the file in a location where you can map a volume.
Create eyesonit_config.yml with these two lines:
run_air_gapped: True
air_gapped_license_host: <IP address of server where Relay is running>
To use air-gapped licensing set run_air_gapped to True. This value is case-sensitive, so please make sure to follow the capitalization in the example.
You also need to set air_gapped_license_host to the IP address of the server where Relay is running. Note that for the Docker version of EyesOnIt, this address needs to be the IP of the host or another server. If Relay is running on the Docker host (the EyesOnIt container is running on the server that is also running Relay), you won't be able to access Relay through "localhost" since localhost refers to the container and not the host. In that case, try these options:
- the IP address of the host
- if your container is unable to resolve IP addresses due to network limitations:
- on Linux or non-Docker Desktop environments: 127.17.0.1
- on Docker Desktop environments: host.docker.internal
When you run the Docker version of EyesOnIt, your docker run command should look something like this:
docker run
--name "<container friendly name>"
-d
-p 8000:8000
--gpus all
--restart unless-stopped
-e EOI_LICENSE_KEY=<EyesOnIt license key>
-e EOI_AUTHORIZATION_TOKEN=<EyesOnIt auth token>
-v <host path>:/home/eyesonit_user/input
-v eyesonit_output:/home/eyesonit_user/output
"<eyesonit docker image name>"
where:
container friendly name - an optional friendly name for your container for your convenience
EyesOnIt auth token - your EyesOnIt auth token which you can see on your account page
-v <host path>:/home/eyesonit_user/input – maps that path <host path> on the Docker host to the path /home/eyesonit_user/input within the EyesOnIt Docker container. Replace <host path> with the location on your host where you want to store EyesOnIt input files. You will need to store eyesonit_config.yml at <host path>/config/eyesonit_config.yml. So if you use this in your Docker run command:
-v /home/eyesonit/input:/home/eyesonit_user/input
You should place eyesonit_config.yml on the host at
/home/eyesonit/input/config/eyesonit_config.yml
-v eyesonit_output:/home/eyesonit_user/output – an optional named Docker volume which allows you to see output from EyesOnIt in a Docker named volume. Use “docker inspect <container friendly name> | grep volume” to find the location of this volume on your host.
eyesonit docker image name – the name of the EyesOnIt Docker image to run (something like eyesonit/eyesonit_v3.2:latest).
With this configuration and run command, EyesOnIt will load eyesonit_config.yml from the host and will use the Relay server for air-gapped licensing.
The eyesonit_config.yml file needs to be placed under <user>\AppData\Local\Programs\EyesOnIt\input\config. For example, if your username is "test_user", this folder would probably be c:\users\test_user\AppData\Local\Programs\EyesOnIt\input\config.
If you are running EyesOnIt as a Windows service, the eyesonit_config.yml file should go under C:\Windows\System32\config\systemprofile\AppData\Local\Programs\EyesOnIt\input\config
Create eyesonit_config.yml with these two lines:
run_air_gapped: True
air_gapped_license_host: <IP address of server where Relay is running>
To use air-gapped licensing set run_air_gapped to True. This value is case-sensitive, so please make sure to follow the capitalization in the example.
You also need to set air_gapped_license_host to the IP address of the server where Relay is running. This can be localhost, or it can be another IP address like 10.0.0.25.
With this configuration, EyesOnIt will load eyesonit_config.yml from the host and will use the Relay server for air-gapped licensing.
License Verification
To verify that the license is configured properly, open a browser and navigate to http://<EyesOnIt Host IP>:8080/dashboard. You should see:
Server Status:Connected
License Status:Valid
If you do not see this, please check your configuration, or contact us at support@eyesonit.us for help.
Conclusion
As a final comment, please note that SMS alerts will be disabled when air-gapped licensing is active, because SMS alerts require an Internal connection. RTSP and VMS notifications can still be used, but customers should take care to configure EyesOnIt to use internal URLs for these notifications to ensure that EyesOnIt does not try to connect to the Internet.