| Pros | Cons | |------|------| | Security: No internet ports opened on pen-testing asset. | Inconvenience: Requires physical media or secure file transfer. | | Compliance: Meets PCI, HIPAA, and FedRAMP air-gap requirements. | Latency: License changes (e.g., adding agents) require a new offline file. | | Stability: No accidental auto-updates breaking exploits. | Hardware sensitivity: Changing a NIC invalidates the verification. |
Once you have a verified offline activation, you need to maintain it. Here are enterprise-grade best practices: metasploit pro offline activation file verified
If you are a legitimate user and your offline activation file is not being verified, check these three things: | Pros | Cons | |------|------| | Security:
You will now use a separate, internet-connected machine to turn the request into an activation file. Confirm services started without license errors in logs:
The activation file is typically a base64‑encoded, serialized Ruby object (Marshal) or a signed JSON Web Token (JWT) variant.
Sign at Rapid7
Rapid7 signs the request data with their private key, embeds license limits (nodes, duration, features), and returns the .lic file.
Local verification
Metasploit Pro validates the signature using a hardcoded public key inside the Ruby code (or compiled extension).
It then checks: