Secure Software, Firmware, and Model Distribution

Overview

This guide shows how to securely distribute software updates, firmware, and AI model updates using encrypted containers with cryptographically enforced access control.

Software packages, firmware images, and AI model updates represent critical intellectual property and operational infrastructure. Unauthorized access or tampering can result in intellectual property theft, system compromise, or unauthorized deployment.

Traditional update distribution methods rely on storage permissions, signed URLs, or transport-layer security. These approaches cannot prevent unauthorized access if update files are copied, intercepted, or distributed outside trusted infrastructure.

Locktera secures software and model updates by encrypting update packages into immutable containers and enforcing access policies cryptographically at the time of decryption. Only authorized systems may decrypt and install updates.

This ensures that updates remain protected regardless of where they are stored, transferred, deployed, or copied.

Key Concepts

Cryptographically Protected Update Packages

Software, firmware, and model updates are encrypted into Locktera containers before distribution.

This ensures:

  • Unauthorized systems cannot access update contents

  • Update packages cannot be installed without authorization

  • Protection persists regardless of storage or transport method

  • Update files remain encrypted at rest and in transit

Container contents remain immutable.

Secure Update Distribution

Encrypted update containers may be distributed using any infrastructure, including:

  • Cloud storage platforms

  • Content delivery networks (CDNs)

  • Software update servers

  • Edge distribution systems

  • Partner or customer-hosted environments

Only authorized systems may decrypt and install the update.

Cryptographic Access Enforcement

Access is enforced at the time of container decryption.

This ensures:

  • Only authorized systems may install updates

  • Unauthorized copies cannot be used

  • Access can be revoked immediately if needed

  • Update distribution remains secure even in untrusted environments

Access enforcement does not rely on storage permissions or network controls.

Audit Logging of Update Deployment

Every update access generates an audit record.

Audit logs provide visibility into:

  • Which system accessed the update

  • When the update was accessed

  • Which update version was deployed

  • Whether access was authorized or denied

This enables secure deployment tracking and forensic analysis.

Common Use Cases

This workflow is commonly used for:

  • Secure AI model deployment

  • Secure software upgrade distribution

  • Secure firmware distribution to devices

  • Secure edge device updates

  • Secure software delivery to customers

  • Protecting proprietary software and models

Comparison to Traditional Update Distribution

Architecture Flow

Software Vendor or Model Owner

        │ Encrypt update package

Encrypted Update Container (.tera)

        │ Distribute via storage, CDN, or update server

Deployment System or Device

        │ Decrypt container (if authorized)

Update installed securely

Unauthorized systems cannot decrypt or install the update.

Deployment Options

The Locktera runtime may be deployed in several forms depending on the target environment:

• Integrated into the application using the Locktera SDK
• Installed as a lightweight runtime on deployment systems or edge devices
• Embedded into firmware update or software update components
• Integrated into secure hardware environments such as TPM, Secure Enclave, or HSM-backed systems

The runtime operates locally on the authorized deployment system and enforces access policies independently of storage, transport, or update distribution infrastructure.

Security Benefits

This architecture ensures:

• Unauthorized systems cannot decrypt or install updates
• Update packages remain protected regardless of where they are stored or distributed
• Update integrity and authenticity are cryptographically enforced
• Access may be revoked or restricted at any time
• Update deployment activity is fully audit logged

This enables secure distribution of proprietary software, firmware, and AI models across cloud, edge, and device environments.

Prerequisites

  • Locktera API key

  • Software, firmware, or model update file

  • Authorized deployment system identity

Base URL:

https://share.locktera.com/api/v1

Authentication header:

Authorization: Bearer YOUR_API_KEY

Step 1 — Encrypt Software or Model Update

Encrypt the update package into a secure container.

Request:

manifest.json

{
  "container": {
    "drm": {
      "dynamic": true
    }
  }
}

curl -X POST $BASE_URL/users/USER_ID/containers/encode \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -F "manifest.json=@manifest.json;type=application/json" \
  -F "name=Software Update Container" \
  -F "file=@software_update.bin"

Response:

{
  "org_id": "YOUR_USER_ID",
  "container": {
    "uuid": "123e4567-e89b-12d3-a456-426614174000",
    "name": "Software Update Container"
    "created_at": "2026-02-21T18:35:17Z"
  }
}

The update is now encrypted and protected.

Step 2 — Grant Deployment System Access

Grant access to authorized systems or devices.

Request:

curl -X PATCH $BASE_URL/users/USER_ID/containers/CONTAINER_ID/drm \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
        "recipients": [
          "deployment-system@company.com"
        ]
      }'

Response:

{
  "org_id": "YOUR_USER_ID",
  "container": {
    "uuid": "123e4567-e89b-12d3-a456-426614174000",
    "recipients": [
      "deployment-system@company.com"
    ]
  }
}

Only authorized systems may install the update.

Step 3 — Authorized System Retrieves and Installs Update

Authorized deployment systems retrieve and decrypt the update.

Request:

curl -X GET $BASE_URL/users/USER_ID/containers/CONTAINER_ID/decode \
  -H "Authorization: Bearer DEPLOYMENT_SYSTEM_API_KEY"

Response:

{
  "org_id": "YOUR_USER_ID",
  "container": {
    "uuid": "123e4567-e89b-12d3-a456-426614174000",
    "files": [
      {
        "name": "software_update.bin"
      }
    ]
  }
}

The system may now install the update securely.

Step 4 — Unauthorized Access is Automatically Blocked

If an unauthorized system attempts access:

Response:

{
  "error": "access_denied",
  "message": "Decryption is not permitted for this container."
}

Unauthorized systems cannot install updates.

Step 5 — Audit Update Deployment Activity

Retrieve audit records for update distribution.

Request:

curl -X GET $BASE_URL/users/USER_ID/containers/CONTAINER_ID/events \
  -H "Authorization: Bearer YOUR_API_KEY"

Audit logs provide verifiable records of update access and deployment.

Security Properties

This workflow ensures:

• Update packages are encrypted before distribution
• Only authorized systems can install updates
• Unauthorized copies cannot be used
• Container authenticity and integrity are cryptographically verified
• Container contents remain immutable and tamper-resistant
• Access may be revoked instantly
• All update access is audit logged
• Protection persists regardless of storage, transport, or distribution method

Comparison to Traditional Update Distribution

Traditional update systems rely on:

  • Download permissions

  • Signed URLs

  • Transport-layer security

  • Storage access controls

These methods cannot prevent unauthorized access if update files are copied.

Locktera enforces access cryptographically at the update package level.

Summary

Locktera enables secure distribution of software, firmware, and AI model updates by encrypting update packages into immutable containers with persistent cryptographic access control. Only authorized systems may decrypt and install updates, ensuring protection against unauthorized access, tampering, and distribution.