Secure Software, Firmware, and Model Distribution
Overview
This guide shows how to securely distribute software updates, firmware, and AI model updates using encrypted containers with cryptographically enforced access control.
Software packages, firmware images, and AI model updates represent critical intellectual property and operational infrastructure. Unauthorized access or tampering can result in intellectual property theft, system compromise, or unauthorized deployment.
Traditional update distribution methods rely on storage permissions, signed URLs, or transport-layer security. These approaches cannot prevent unauthorized access if update files are copied, intercepted, or distributed outside trusted infrastructure.
Locktera secures software and model updates by encrypting update packages into immutable containers and enforcing access policies cryptographically at the time of decryption. Only authorized systems may decrypt and install updates.
This ensures that updates remain protected regardless of where they are stored, transferred, deployed, or copied.

Key Concepts
Cryptographically Protected Update Packages
Software, firmware, and model updates are encrypted into Locktera containers before distribution.
This ensures:
-
Unauthorized systems cannot access update contents
-
Update packages cannot be installed without authorization
-
Protection persists regardless of storage or transport method
-
Update files remain encrypted at rest and in transit
Container contents remain immutable.
Secure Update Distribution
Encrypted update containers may be distributed using any infrastructure, including:
-
Cloud storage platforms
-
Content delivery networks (CDNs)
-
Software update servers
-
Edge distribution systems
-
Partner or customer-hosted environments
Only authorized systems may decrypt and install the update.
Cryptographic Access Enforcement
Access is enforced at the time of container decryption.
This ensures:
-
Only authorized systems may install updates
-
Unauthorized copies cannot be used
-
Access can be revoked immediately if needed
-
Update distribution remains secure even in untrusted environments
Access enforcement does not rely on storage permissions or network controls.
Audit Logging of Update Deployment
Every update access generates an audit record.
Audit logs provide visibility into:
-
Which system accessed the update
-
When the update was accessed
-
Which update version was deployed
-
Whether access was authorized or denied
This enables secure deployment tracking and forensic analysis.
Common Use Cases
This workflow is commonly used for:
-
Secure AI model deployment
-
Secure software upgrade distribution
-
Secure firmware distribution to devices
-
Secure edge device updates
-
Secure software delivery to customers
-
Protecting proprietary software and models
Comparison to Traditional Update Distribution

Architecture Flow
Software Vendor or Model Owner
│
│ Encrypt update package
▼
Encrypted Update Container (.tera)
│
│ Distribute via storage, CDN, or update server
▼
Deployment System or Device
│
│ Decrypt container (if authorized)
▼
Update installed securely
Unauthorized systems cannot decrypt or install the update.
Deployment Options
The Locktera runtime may be deployed in several forms depending on the target environment:
• Integrated into the application using the Locktera SDK
• Installed as a lightweight runtime on deployment systems or edge devices
• Embedded into firmware update or software update components
• Integrated into secure hardware environments such as TPM, Secure Enclave, or HSM-backed systems
The runtime operates locally on the authorized deployment system and enforces access policies independently of storage, transport, or update distribution infrastructure.
Security Benefits
This architecture ensures:
• Unauthorized systems cannot decrypt or install updates
• Update packages remain protected regardless of where they are stored or distributed
• Update integrity and authenticity are cryptographically enforced
• Access may be revoked or restricted at any time
• Update deployment activity is fully audit logged
This enables secure distribution of proprietary software, firmware, and AI models across cloud, edge, and device environments.
Prerequisites
-
Locktera API key
-
Software, firmware, or model update file
-
Authorized deployment system identity
Base URL:
https://share.locktera.com/api/v1
Authentication header:
Authorization: Bearer YOUR_API_KEY
Step 1 — Encrypt Software or Model Update
Encrypt the update package into a secure container.
Request:
manifest.json
{
"container": {
"drm": {
"dynamic": true
}
}
}
curl -X POST $BASE_URL/users/USER_ID/containers/encode \
-H "Authorization: Bearer YOUR_API_KEY" \
-F "manifest.json=@manifest.json;type=application/json" \
-F "name=Software Update Container" \
-F "file=@software_update.bin"
Response:
{
"org_id": "YOUR_USER_ID",
"container": {
"uuid": "123e4567-e89b-12d3-a456-426614174000",
"name": "Software Update Container"
"created_at": "2026-02-21T18:35:17Z"
}
}
The update is now encrypted and protected.
Step 2 — Grant Deployment System Access
Grant access to authorized systems or devices.
Request:
curl -X PATCH $BASE_URL/users/USER_ID/containers/CONTAINER_ID/drm \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"recipients": [
"deployment-system@company.com"
]
}'
Response:
{
"org_id": "YOUR_USER_ID",
"container": {
"uuid": "123e4567-e89b-12d3-a456-426614174000",
"recipients": [
"deployment-system@company.com"
]
}
}
Only authorized systems may install the update.
Step 3 — Authorized System Retrieves and Installs Update
Authorized deployment systems retrieve and decrypt the update.
Request:
curl -X GET $BASE_URL/users/USER_ID/containers/CONTAINER_ID/decode \
-H "Authorization: Bearer DEPLOYMENT_SYSTEM_API_KEY"
Response:
{
"org_id": "YOUR_USER_ID",
"container": {
"uuid": "123e4567-e89b-12d3-a456-426614174000",
"files": [
{
"name": "software_update.bin"
}
]
}
}
The system may now install the update securely.
Step 4 — Unauthorized Access is Automatically Blocked
If an unauthorized system attempts access:
Response:
{
"error": "access_denied",
"message": "Decryption is not permitted for this container."
}
Unauthorized systems cannot install updates.
Step 5 — Audit Update Deployment Activity
Retrieve audit records for update distribution.
Request:
curl -X GET $BASE_URL/users/USER_ID/containers/CONTAINER_ID/events \
-H "Authorization: Bearer YOUR_API_KEY"
Audit logs provide verifiable records of update access and deployment.
Security Properties
This workflow ensures:
• Update packages are encrypted before distribution
• Only authorized systems can install updates
• Unauthorized copies cannot be used
• Container authenticity and integrity are cryptographically verified
• Container contents remain immutable and tamper-resistant
• Access may be revoked instantly
• All update access is audit logged
• Protection persists regardless of storage, transport, or distribution method
Comparison to Traditional Update Distribution
Traditional update systems rely on:
-
Download permissions
-
Signed URLs
-
Transport-layer security
-
Storage access controls
These methods cannot prevent unauthorized access if update files are copied.
Locktera enforces access cryptographically at the update package level.
Summary
Locktera enables secure distribution of software, firmware, and AI model updates by encrypting update packages into immutable containers with persistent cryptographic access control. Only authorized systems may decrypt and install updates, ensuring protection against unauthorized access, tampering, and distribution.
