Main Content

Protect Code and Data in Deployable Archive

You can protect deployed application code with packaging options that allow you to obscure files and folder names, store secret information, and encrypt the deployable archive. Use these options separately or together to increase the security of your application.

For general information on protecting MATLAB® source code, see Security Considerations to Protect Your Source Code.

Protect User Data and Obfuscate File Structure

When MATLAB Compiler™ creates a deployable archive, MATLAB code files (plain text MATLAB files or P-code files) are encrypted using the standard AES-256 algorithm. By default, the names of files and the directory structure are not obscured and other file types (such as MAT, FIG, MEX, and so on) are not encrypted.

For all deployment targets, you can obscure the names of files and the directory structure and also encrypt other file types (such as MAT, FIG, MEX, and so on). The encrypted files remain encrypted on the disk but are decrypted in memory to their original form at run time.

You can protect your MATLAB code and data using one or more of the following options, depending on your packaging method.

  • Use the mcc -s option to obfuscate folder structures and file names in the deployable archive (CTF file) and place user code and data into a user package within the archive. During runtime, MATLAB code and data is decrypted and loaded directly from the user package rather than extracted to the file system. (since R2021b)

  • Use the mcc -j option to automatically convert all .m files to P-files before packaging. (since R2022b)

  • Use the ObfuscateArchive option in a compiler.build function to obfuscate folder structures and file names in the deployable archive, and convert all .m files into P-files before packaging. This option is equivalent to using mcc with both -s and -j specified. (since R2023a)

  • Use the -s (since R2021b) or -j (since R2022b) options in the Additional Runtime Settings area of the compiler apps.

For information on selecting a packaging method, see Choose Deployment Option.

Package Code with Sensitive Information Using Secrets

For standalone applications and web apps, if the MATLAB code you want to deploy handles sensitive strings of data, such as passwords, you can avoid putting them in your MATLAB code by storing them in your MATLAB vault as secrets. Then, you can package the deployable archive with secrets, which are decrypted at run time.

To include secrets in the deployable archive, store each secret in your MATLAB vault before packaging using setSecret. Retrieve the secrets in your deployed MATLAB code using getSecret. Then, specify the secret names in a secrets manifest JSON file using one of the following options, depending on your packaging method.

  • Use the SecretsManifest option in a compiler.build function. (since R2024b)

  • Use the mcc -J option. (since R2024a)

  • Use the -J option in the Additional Runtime Settings area of the compiler apps. (since R2024a)

For more information on deploying code that uses secrets, see Handle Sensitive Information in Deployed Applications.

For an example on creating a standalone application that uses secrets, see Access Sensitive Information in Standalone Application.

Require Decryption Key at Run Time

To control application access at run time, you can specify an AES encryption key and a MEX file loader interface to retrieve the decryption key.

Specify key and loader files during packaging using one of the following equivalent options, depending on your packaging method.

  • Use the ExternalEncryptionKey option in a compiler.build function. (since R2024b)

  • Use the mcc -k option. (since R2022b)

  • Use the -k option in the Additional Runtime Settings area of the compiler apps. (since R2022b)

For more details, see the mcc -k entry.

Package C++ Shared Libraries without MEX Loader

For C++ shared libraries, as an alternative to specifying both key and MEX loader at compile time, you can specify only the encryption key (since R2023b). You then provide the hex encoded 64 byte decryption key at runtime in your C++ application as an argument for the initMATLABLibrary (MATLAB Compiler SDK) function using the MATLAB Data API or the <library>InitializeWithKey (MATLAB Compiler SDK) function using the mwArray API. For this workflow, the syntax is:

mcc mfilename1 -W 'cpplib:library_name' -k '<keyfile>'

See Also

| | |

Related Topics