Restricting a Flash Disk to a motherboard or a cpu bios

davesingh used Ask the Experts™
I have build a gaming application build on windows platform. I want install the OS+my applicaiton on a 2GB flash disk. Now the main task is to encrypt the disk and restrict it to a motherboard or a cpu bios so that every computer with this flash disk is restricted and sealed to a given user and cannot be duplicated.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Unfortunately, there is (simple) way to guarantee that it is not being copied to another device. Even Microsoft, Adobe, etc. have been trying for over a decade and cannot stop it. However, there are things you can do to minimize the risk.

Locking to a BIOS, even if possible, prohibits the user from upgrading their BIOS. Locking it to a CPU prohibits them from upgrading their CPU. Anytime you lock it down to a specific hardware device, you take away the user's ability to upgrade the part, or replace the part if it becomes defective. This may work for a very small group (i.e. a small office) sine you can reissue the activated program for the new hardware, but quickly becomes unmanageable as the user base grows.

One option is TPM (, which can use motherboard add-on cards, USB devices, etc. that are issued individually. The program can then check that the TPM device(s) are currently active on the system. This doesn't prevent somebody form taking it to a new computer, but it does prevent somebody without an issued device to use the program (and the device cannot be easily obtained or duplicated). Unfortunately, I am more of an end user on this, and although I know how it works behind the scenes, I do not know how to perform the code development to do so or how to best deploy such a solution.

If that's too complicated (understandable), the best solution for you may be some sort of activation mechanism in the software to limit the program's ability to be run on unauthorized computers. Either via activation keys with an Internet lookup to verify it's a valid key and not already in use, or other method.


Please share how to :

1. Lock to a BIOS?
2. Lock to a CPU?
3. TPM in detail

Thanks a lot in advance!
Top Expert 2010
Geowin gives good advice in #33134456, but let me offer another option and some more info

 - To prevent booting, you need to get a vanity BIOS.  Just forget that option unless you will be making millions of dollars in license revenue.  Unless you are supplying the computer, then it isn't practical.

 - It is cost prohibitive to use an encrypted disk/controller combination (hundreds of dollars)

 - My suggestion is to do something along the lines of what I had to resort to, in order to prevent piracy.  Get a secure USB device that has unique serial numbers, and ability to encrypt/protect hidden areas.   Then after the bootstrap kicks in and the O/S loads, have some code that verifies that this is YOUR protected USB, and has your unique identification info on it (that is hidden).  This way, end-user could make a bit copy from RAM, or from the USB flash, onto their own device .. and even though the bit copy is a bit copy, it still won't work.  I ended up getting a patent on a certain way to do this, but the patent is also for a specific use, so I doubt there would be any infringement for gaming use.  If you want me to point you to right direction, look at my profile and drop me an email.

As this is a public forum, and a software licensing/security mechanism, I am not going to post details on it in a public forum, so hopefully moderators won't have a problem with this.

I'm assuming you are selling each USB key directly, without prior knowledge of the computer it's going to run on...

This makes it extremely difficult.

You'll need to secure the executable after its physically connected to the computer, because you won't know beforehand any of the details about the computer.

That means you'll need to encrypt some data during the "installation" process, and write this encrypted data back to the flash drive you're running from.  Modern OS es really hate self modifying code, though, and that's what you're looking for.  You're also likely to trip every antivirus tool out there.

Btw, if you use a CERT to sign your code, this method won't work.

Honestly, I don't think there is a good answer.  I've thought about this for years.


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial