Anti Piracy - Online Activation vs Keyfile?

Hi, I have been reading several posts about anti piracy and have been thinking about the pros and cons of various schemes. I know that it is not easy or cheap to prevent piracy entirely so I would like to implement enough measures to encourage most potential customers to purchase a licence!

I really don’t like using dongles and as a consumer, I tend to avoid purchasing software that uses one. I am also less keen on purchasing from smaller companies that only offer online activation as I would be relying on the licencing server being available in the future. For this reason, I am increasingly liking the idea of using an RSA encrypted keyfile containing user information only (not tied to hardware IDs).

The pros of using a keyfile instead of online activation are:

  • Users can keep a copy of the keyfile forever and activate it on a new machine in the future.
  • Activation is offline so users don’t have to rely on the company maintaining a licence server forever.
  • Activation is easier for users and should reduce support costs.
  • The web server code is far easier to implement.

The cons are:

  • The keyfile can be easily shared with non-paying users.
  • I can’t think of any way to prevent shared keyfiles from being activated.
  • I can’t think of any way to deactivate licences.

Online activation is still somewhat appealing as it offers more control over licence activation. However, it adds so much complexity at the web server end. It also comes with the responsibility to keep the licencing web infrastructure maintained well into the future to ensure that users can still activate the software.

I am hoping to price the software somewhere around £150 to £200. Is it too risky to provide permanent keyfiles? Is there a way to prevent keyfiles from being shared? Alternatively, is online activation (using hardware IDs) worth the additional coding & maintenance effort for a product in this price range?

I would love to know your thoughts on this!


I use keyfiles, and overall it’s been a good experience. To prevent sharing at least to some extent, the (signed) keyfile contains the user’s email address, which is then dynamically shown in a corner of the UI.
I also “call home” which is a way to disable shared keyfiles (should I ever find any) and also cracked versions. Although this can be circumvented by going offline or using a firewall, it’s clearly better than nothing. All in all, the scheme usually works for a few weeks or even months before a crack is released, which is enough to ride the most important sales wave after a release.

1 Like

Thanks @siedschl, good to know!

I guess having the users email address in the keyfile and displayed in the UI is a pretty good deterrent. Also, calling home is a great idea! It provides a method for deactivating blacklisted keyfiles and it would have no impact on legitimate users (even if my website was no longer online).

When disabling a shared keyfile, what is the best way to prevent the user from reactivating using the same keyfile? I am guessing that something needs to be hidden on the machine somewhere so that it can be checked when the program launches?

Just keep checking your blacklist online script from your software every now and then (preferably at different places in the code). If myEmail = blacklisted then exit. Or show a nag screen.