Protect Java apps and control where they can run

Upload your application, encrypt the sensitive bytecode, bind the license to the target machine, and deliver a ready-to-run protected package.

Protect core code

Encrypt the classes, packages, embedded JARs, or dependency JARs that contain your business logic.

Control authorization

Bind each license to one target machine and choose long-term or time-limited access before delivery.

Run in containers

Run protected Java applications in Docker and Kubernetes container deployments, with authorization bound to the host machine.

Deliver with confidence

The encrypted package includes the signed license, runtime files, and platform scripts for deployment.

JAR WAR Spring Boot Tomcat Classes Encrypt License Control Machine Bound Docker Kubernetes macOS Linux Windows

My encryption

Choose the application you want to protect, collect the target machine ID, select sensitive code, and generate the encrypted licensed package.

Choose JAR, WAR, or plain JAR dependency ZIP, up to 300 MB
For ZIP uploads, the main JAR must be in the ZIP root. JARs with Main-Class are recommended automatically.
The license is bound to one target machine. Collect its Machine ID before submitting.
Not collected
Limits how many instances of the same license can run on this machine at the same time.
Select the classes and libs to encrypt. Prefer business code you wrote; selecting framework code, such as Spring, may prevent the application from starting.
Analyze a file to see selectable packages and classes.

Recent tasks from this browser

Task No File Status Message Start time Finish time Encrypted file

Task queue

Public queue status for recent encryption jobs.

Task No File Size(byte) Status Start time Finish time

How to use the encrypted file

Use the generated package as your protected delivery artifact. It already includes the encrypted application, signed machine-bound license, runtime configuration, native files, and start scripts for every platform available in this build. Recommended Java runtime is JDK 21 or a verified lower JDK; other JDK versions require compatibility testing.

JAR or Spring Boot JAR

  1. Unzip the result package.
  2. Keep the extracted directory structure unchanged.
  3. Run the JAR script for your platform. It locates app, native files, bce.properties, and license.bce automatically. macOS uses universal2 native files and requires macOS 11 Big Sur or newer.
  4. The native agent verifies license.bce online and starts only on the bound machine.

WAR on Tomcat

  1. Unzip the result package.
  2. Deploy the encrypted WAR from app/ using your normal Tomcat deployment method.
  3. Copy bce.properties, license.bce, native/, and app/ from the result package into TOMCAT_HOME/lib.
  4. Copy bce-run-tomcat and bce-core-run-tomcat scripts to TOMCAT_HOME/bin.
  5. Run sh bce-run-tomcat.sh from TOMCAT_HOME/bin.

Plain JAR with encrypted dependencies

  1. Encrypted JARs that run in one JVM must come from the same encrypted package and share one license.bce.
  2. The main JAR must be in the ZIP root. Dependencies may stay in root or subdirectories such as lib/.
  3. Select one main JAR, choose main JAR classes/packages, and select dependency JARs by JAR path.
  4. The result keeps the dependency directory structure and uses one license.bce for the whole bundle.
  5. Run it with the normal bce-run-jar script.

Docker and Kubernetes

  1. Unzip the result package on the target host or Kubernetes node.
  2. Start the host helper on the host operating system. For Kubernetes, start it on every node that may run the app. Docker Desktop example: scripts/bce-host-binding-daemon.sh --endpoint tcp:127.0.0.1:37631. Linux/Kubernetes example: sudo scripts/bce-host-binding-daemon.sh --endpoint unix:/run/bce/machine-id.sock.
  3. Put the result package into the application image or mount it into the container.
  4. Set BCE_BINDING_MODE=host-helper and BCE_HOST_BINDING_ENDPOINT in the container. Docker Desktop uses tcp:host.docker.internal:37631. Linux/Kubernetes uses unix:/run/bce/machine-id.sock.
  5. Run the app with scripts/bce-run-jar.sh, scripts/bce-run-tomcat.sh, or the app manifest example under scripts/container.
  6. If anything is unclear, check README.md and scripts/README.md in the result package.

Result package

  • app: encrypted application files
  • bce.properties: runtime configuration
  • license.bce: signed machine-bound license
  • native: platform native libraries and tools under native/macos, native/linux/x64, native/linux/arm64, native/windows/x64, and native/windows/arm64. macOS files are universal2 for x86_64 and arm64 with deployment target 11.0.
  • scripts: start scripts for JAR and Tomcat