ASTIS products and services

The primary ASTIS client application — a web/PWA platform for encrypted email that works across PC, mobile, and tablet. All encryption and decryption happens client-side on your device.

Key Features

• Web and PWA — works on any device with a browser
• Client-side encryption and decryption (AES-256-GCM + OpenPGP)
• Works with your existing email provider (Gmail, Microsoft 365, SMTP)
• Key management and session key capsule handling
• TTL, policies, and audit integration
• Responsive design for desktop, mobile, and tablet

Seamless encryption for Mozilla Thunderbird with full PGP support and key management.

Key Features

• Automatic email encryption and signing
• Built-in key management
• S/MIME and OpenPGP support
• Works with existing email accounts
• Cross-platform compatibility

End-to-end encryption for Gmail directly in your browser with zero configuration.

Key Features

• Seamless Gmail integration
• One-click encryption
• Automatic key exchange
• Secure attachment handling
• Mobile-responsive design

Enterprise-grade encryption for Outlook Web with seamless Office 365 integration.

Key Features

• Office 365 integration
• Enterprise policy support
• Calendar encryption
• Shared mailbox support
• Azure AD authentication

Distributed keyserver infrastructure for publishing and discovering OpenPGP public keys across the network using Web Key Directory protocol.

Key Features

• RFC 8605 compliant WKD implementation
• Automatic key discovery via email domain
• HTTPS-based secure key retrieval
• HKP protocol support
• Key synchronization with SKS network
• Email verification for key uploads
• Rate limiting and spam protection
• RESTful API for integration

Session key capsule management service. Handles encrypted capsule storage, retrieval, TTL enforcement, and policy-based access control.

Key Features

• Encrypted capsule storage and retrieval
• TTL enforcement and automatic expiry
• Policy-based access control
• Multi-tenant architecture
• Integration with BYOK and HYOK via CVS
• Audit logging and compliance reporting

Cross-platform client-side cryptographic engine powering ASTIS plugins on Windows, macOS, and Linux. All encryption and decryption happens locally on the device.

Key Features

• AES-256-GCM content encryption
• OpenPGP (RFC 4880) session key capsule wrapping
• Local key generation and management
• Cross-platform: Windows, macOS, Linux
• Plugin integration (Thunderbird, Gmail, Outlook)
• Offline-capable encryption and decryption

Rust-compiled WASM cryptographic engine that runs entirely in the browser. Powers in-browser ASTIS Mail (PWA) and is available to customer web applications via the API platform — full sealed envelope, OpenPGP, and capsule operations without a native install.

Key Features

• Compiled from Rust to WebAssembly via wasm-pack
• OpenPGP (RFC 4880) operations (encrypt / decrypt / sign / verify)
• Sealed envelope and SKEY capsule operations
• Runs inside the browser sandbox — no plugin install
• Distributed as an npm package consumed by PWA Mail and Portal
• FIPS-validated build on the certification roadmap

Server-side cryptographic processing designed for mobile users who want the simplest, fastest way to use encrypted email — no plugin installation required.

Key Features

• No plugin or app installation required
• Designed for mobile platforms (iOS, Android)
• AES-256-GCM content encryption
• OpenPGP session key capsule wrapping
• Plaintext processed transiently, never persisted
• Instant onboarding for new users

PrivatePGP key vault with binding-based access control. Stores sealed private-key material; the password is never recoverable by CVS. Managed CVS may process key material transiently in memory during approved operations; HYOK and CVS Hybrid move that boundary to customer infrastructure.

Key Features

• Sealed private-key storage
• Binding-based access control (enroll, revoke, rotate)
• Organization-scoped audit logging
• Redis-backed domain profile caching
• BYOK / HYOK / CVS Hybrid custody routing

Security encryption layers for enterprise key governance. BYOK lets customers import and manage their own keys via CVS gateway. HYOK keeps decryption authority entirely on customer infrastructure.

Key Features

• BYOK: import and manage your own encryption keys
• HYOK: keys never leave customer infrastructure
• Hardware Security Module (HSM) support
• Automated key rotation and lifecycle management
• Zero-knowledge for email content
• Compliance with data residency requirements

Kubernetes secret protection where infrastructure access does not mean data access. A pod decrypts its secret in RAM via HPKE-X25519 (ASTIS:v2 sealed envelope); the ASTIS edge authenticates the workload and routes only a wrapped DEK capsule, which CVS rewraps to the pod’s ephemeral key. In Kubernetes-native sealed-envelope mode, stored Secrets, manifests, and etcd backups stay ciphertext — read-only cluster or backup access sees only ciphertext.

Key Features

• Four-layer workload release policy (strict, fail-closed by default): bound API key + pod-bound ServiceAccount JWT (name + UID) + RAM-only DPoP with single-credential pin + live-pod image digest where every running image (app, init, sidecar) must be approved
• Tier 1 (ASTIS-managed org key) and Tier 2 HYOK (org key never leaves your infrastructure)
• End-to-end round-trip proven on a real Kubernetes cluster (HPKE-X25519, ASTIS:v2) — not slideware
• Honest boundary: a stolen SA token or API key alone cannot unwrap; residual risk is in-pod memory after plaintext release (kubectl exec / node-root) and full control-plane compromise — harden with distroless images, restricted exec RBAC, admission policy, and image signing
• Design-partner onboarding via engineering; packaged pod-side SDK, GA, and SLA in progress