Key a Program

In addition to K2’s standard method of managing programs and their respective software licenses, K2 also provides a "legacy" method that can sometimes* be used to secure programs against intentional software piracy.

The extra work of preparing and distributing a secured or “keyed” program variant is optional and completely unnecessary except when intentional piracy is a concern or as a means of uniquely tagging a particular executable file for KeyServer management.

When to use Keyed Control

The license management interface, usage tracking, license enforcement options, reports etc. for both standard and keyed program variants are essentially the same. However, on a computer where KeyAccess has been removed or disabled, a keyed program will not launch while an unkeyed program will. Also, when a client is not in the scope of any Manage policy, the launch of a keyed program cannot be Ignored or Observed – it will be Denied (unlike the unkeyed case).

The essential difference between an unmodified and a keyed version of a program is revealed when KeyAccess is absent, or when KeyServer has no policy which is applicable to the client. The unmodified version will simply run while the keyed version will not.

The keyed option may be useful in two cases:

  1. when you cannot guarantee that KeyAccess will remain installed and correctly configured on all the computers you intend to manage or
  2. when you need to easily distinguish (and secure?) “institutional copies” of software for KeyServer management (wherever they may be installed) while being sure to avoid interfering with personally owned copies.
  3. when distributing proprietary software (e.g. developed "in house") that you wish to prevent from being run without connecting to your KeyServer.

If none of these conditions applies in your situation, you should manage each program variant (i.e. "major version") in its unmodified form.

Maintenance update installers, routinely available from a publisher’s web site, make the “security” of keyed programs much less certain than in previous years! An update installer's job is to replace an old executable file version with a newer version. When applied to a keyed program, the updater may behave in one of five ways.
The updater may:
  1. transform the keyed program to the new version which remains keyed
  2. set the program free, transforming it to an unkeyed newer version
  3. transform the keyed program into a broken executable
  4. refuse to run, complaining that the original program is damaged or cannot be found
  5. post a message “Sassafras Keyed Binary your IT Administrator ...” (Adobe)

* Before relying on the keyed option for security or as a means of uniquely tagging a particular executable for KeyServer management, be sure to investigate item b) from the caution above – make sure that updaters won't transform it to an unkeyed version. Note: item e) from the caution above refers to the special behavior of several recent Adobe products whose installers recognize keyed software and can be customized to produce a keyed update (i.e. the updater is customized to produce the behavior listed in item e.


KeyVerify is an example of a specially modified, “keyed”, program. Unlike a standard program (e.g., Calculator), it will not run if the KeyAccess client software is absent or not properly setup. Removing KeyAccess from a client computer will completely disable keyed programs – but any other managed programs (i.e. “unkeyed” programs) will be “set free”. In this sense, a keyed program is managed “securely” against software piracy. If you have other programs where this kind of security is required, you may consider transforming a copy of the standard executable file into a “keyed variant” which you can then distribute.

Key a Program

Select the "Key a Program ..." menu item from the File menu.

A keyed program file cannot be unkeyed! Before transforming a program file into a keyed version always be sure the program installer is available so you can reconstruct the original or else be sure that you are transforming a duplicate copy and that the original is safely archived.

Adding a Keyed Program to a Product Definition

Standard product definitions from Sassafras will never include keyed variants. You may use the New Product Wizard to create new Product definition to include the keyed program. More typically, you may need to associate your keyed variant with a Product definition that already exists for its unkeyed counterpart. In this case, open the details window for the appropriate product and make sure that the programs pane is visible. Then drag the keyed variant into the programs pane of the Product Details window.