Products and Solutions

ISC offers security products targeted at the protection of sensitive data at-rest or in-transit, as well as tools that facilitate certificate life-cycle management and PKI deployment in an enterprise setting. ISC also offers libraries that aid in the development of security-enabled applications. For more information, click one of the tabs below.

  • Data-at-Rest
  • Data-in-Transit
  • PKI
  • Dev. Tools
  • Export

Strong Protection for Sensitive Data-at-Rest


ISC's premiere file encryption utility. Provides file and e-mail confidentiality as well as sender and message authentication. For Windows, Windows Mobile, Mac OS X, and all popular UNIX platforms.
     SecretAgent product information (GUI and API tools)
     SA/TE transparent encryption (plug-in extension)
     SecretAgent command line interface (SA6CLI)
     DAS (cryptographic services for communities of interest)
     Certificate Explorer (client-side certificate management and PKI services)
     Bagala Editor (centralized management of security policies; formerly named PolicyAgent)


The perfect tool to secure data on your local PC or notebook. Creates sharable, AES-encrypted, virtual drives on your local hard disk or on a remote server. Also allows you to secure and distribute sensitive data stored on all types of removable media, including CDs, DVDs, zip disks, SD and compact flash cards, and memory sticks. Currently available for Windows only.
     SpyProof! Product Information
     Administering Security Policies (Bagala Editor, formerly name PolicyAgent)

Strong Protection for Sensitive Data-in-Transit (and Data-at-Rest)


ISC's premiere file encryption utility. Provides file and e-mail confidentiality as well as sender and message authentication. For Windows, Windows Mobile, Mac OS X, and all popular UNIX platforms.
     SecretAgent product information (GUI and API tools)
     SecretAgent command line interface (SA6CLI)
     Certificate Explorer (client-side certificate management and PKI services)
     PolicyAgent (centralized management of security policies)


A Java servlet that performs cryptographic operations on behalf of authorized users. DAS may be used for secure collaboration within a community of interest with a dynamic membership roster. It also enables role-based signing and other private key operations. When used with the CSPid virtual smartcard, it can be accessed from within any security-enabled application on any platform.

     DAS product information

Credential Management and PKI Support


Acala is a software HSM emulator that acts as a universal key store as well as a cryptographic service provider. It maintains a central repository for private keys and X.509 certificates, and provides a secure environment for cryptographic operations. Authorized applications run on the Acala host access its services via an industry-standard PKCS#11 API.
    Acala support page


ISC's NIAP-validated X.509 certificate authority issues RSA and ECC version 3 certificates and CRLs. CertAgentsupports multiple external LDAP repositories and clustering for load balancing and high-availability. It allows remote administration and manual or automatic processing of certificate requests submitted via browser, or e-mail, or via secure RMI from a remote registration authority. Its HTML/Java RMI-based technology is easy to customize and maintain. For Windows, Linux, and Solaris.
    CertAgent product information

Centralized Credential Management Servlet™ / CCMS™

CCMS is an X.509 registration authority with integrated CMP-based enrollment, key escrow, and recovery services. It provides separate administrative and end-user web interfaces.
     CCMS architecture diagram

Central Key Generation Library (CKG)®

CKG is a linkable library of routines that can be used to instrument CertAgent or a third-party X.509 certificate authority. It supports the automation of PKI enrollment (keypair generation/PKCS#10 submission/certificate retrieval) via CMP, as well as credential archival activities (with or without private key escrow). Included are methods for generating RSA keypairs and creating/parsing PKCS#10 certificate requests, PKCS#7/#8/#12 PDUs, certificates, and certificate chains. It can generate and submit enrollment, certificate revocation, and credential recovery requests to a CMP server (e.g., CCMS) via TCP, HTTP, or HTTPS. Critical cryptographic operations may be performed in software (using ISC's FIPS 140-2 validated CDK) or on an auxiliary HSM (via PKCS#11). For more details, see the complete API description on the:
    CKG support page


Bagala is a web service (based on REST over HTTPS) that allows applications to freely download (authenticated) data objects, but only grants upload rights to authorized administrators. Although the initial release is limited to the client-driven provisioning of proprietary configuration settings for ISC products, the product is capable of storing arbitrary data indexed by a DN (and attribute name) and therefore behaves like a generic data store with strong access controls on writes but not on reads.
    Bagala product information


Dhuma is an OCSP server designed to deliver optimal performance, high availability, load balancing, and management simplicity. Fully compliant with IETF Standards, Dhuma can be provisioned with CRLs manually, or via HTTP/HTTPS and LDAP/LDAPS. Dhuma periodically polls specified repositories to obtain CRL updates on a customizable schedule; CRLs are stored in a central database that can be accessed by all Dhuma servers in a cluster.

  • Dhuma is an easily-managed web application that runs on commodity hardware
  • It is highly configurable, providing administrative control over nonce handling, unknown response generation, cache settings, response validity periods, and CRL polling frequency
  • Dhuma supports software-based signing credentials as well as HSMs (for improved performance and security)
  • It supports clustering for high availability and scalability (i.e., load balancing)
  • Dhuma is designed, developed, and supported by ISC staff located in the U.S.


Tara facilitates the automated provisioning of servers (and the applications they host) with PKI credentials and trust chains. Leveraging existing ISC web services (Bagala and CCMS), Tara administrators can centrally manage and deploy server and application credentials as well as common trust anchors throughout an enterprise. Once installed on a host, Tara periodically downloads and installs updated trust stores from a central server. Tara also manages the host’s PKI credentials, automatically handling scheduled key rollover events and reconfiguring relying server processes to use updated keying material.

Tara is particularly useful in the automated provisioning of virtual servers as they come online in the cloud. When a new VM host instance is launched, Tara automatically interfaces with Bagala and CCMS to obtain that VM’s credentials and trust chains. When the VM is terminated, Tara informs CCMS that the host’s credentials are no longer in use.

Tara’s flexible plug-in architecture allows admins to deploy management scripts specifically targeted to their particular network and PKI ecosystem. Template scripts for the most popular web service platforms are provided. Tara supports pooled certificates, short-term certificates, and normal certificates with revocation.

Credential Management Utility™ / CMU™

CMU is a scriptable X.509 credential management utility that allows system administrators to automate many common PKI maintenance tasks that end users often find very difficult to perform manually. Currently available only for Windows.
     CMU product information


An operating system-agnostic virtual smartcard with an integrated, portable credential store and PKCS#11, Java, and CAPI interfaces that make its keys and cryptographic operations available to all applications (including CAPI- and non-CAPI-aware browsers). Its graphical user interface simplifies the PKI experience for end-users, allowing credentials to be moved effortlessly between workstations and obviating the need to replicate keys across independent applications. Its command line interface allows security officers to automate PKI enrollment, key rollover, and credential backup operations, among other tasks. Providing superior protection for private keys, it overcomes the password change/reset issues that plague IE and Mozilla. Optional DAS support provides access to role-based signing and 'community of interest' decryption services. For Windows, Linux, and Solaris.
     CSPid product information

Application Development Tools

Cryptographic Development Kits (CDKs)

For developers wanting to add security to their mission-critical applications, ISC's CDK offers FIPS 140-2 validated implementations of today's standard cryptographic algorithms in the form of linkable libraries. For Windows and all popular UNIX platforms.

     CDK product information

SecretAgent APIs

Embed fully SecretAgent-compatible, file- or buffer-based cryptographic operations into your own applications. Provided as a DLL or shared library, SA5API packages are available for Windows and all popular UNIX platforms.

     SecretAgent application programming interface (SA5API)

SecretAgent CLI

This command line executable version of SecretAgent offers nearly all of the features of the standard GUI-based product plus additional capabilities that are more suitable for scripting and use by unattended server processes. Supports pipes to perform all cryptographic operations in memory. Spawning the SA6CLI from within your own application is typically simpler than linking against a SA6API library. For Windows and all popular UNIX platforms.

     SecretAgent command line interface(SA5CLI)

Export Regulations

ISC products are subject to the export control laws administered by the United States Bureau of Industry and Security (BIS ). Their Export Administration Regulations provide information on a wide variety of export restrictions and must be consulted if you are planning to export our software.

Generally speaking, ISC may freely export its products under License Exception ENC to all but a handful of embargoed countries and denied parties. Specifically, our products have been assigned the following Licensing Mechanisms:

ENC unrestricted
ENC unrestricted
ENC unrestricted
5D002 (C.1)
ENC unrestricted
ENC unrestricted
ENC unrestricted
ENC unrestricted

Entities wishing to export our COTS products, or products incorporating our CDK, are advised to seek their own legal counsel and to consult the BIS Regulations referenced above.


ECCN: Export Control Classification Number assigned by BIS in the Commerce Control List (CCL). This is the fundamental designation indicating the level of control for an item.  ISC products fall under one of the following two ECCNs:

  • 5D002 - Information Security - Software (encryption using keys larger than 64 bits)
  • 5D992 - Information Security - Software (encryption using keys less than or equal to 64 bits in length, or data authentication)

LIC:  The license type for all ISC products is "ENC Unrestricted" which indicates that the software is eligible for "ENC" under Sections 740.17(a) and 740.17(b)(3) of the EAR.

CCATS:Commodity Classification Automated Tracking System, the code number assigned by BIS to products that it has classified against the CCL. The CCATS number for each ISC product classified 5D002 is provided because some encryption exports require post-shipment reporting to BIS and this number is a mandatory element of these reports.

Security Solution Checklist
Tabs on this page:


FIPS 140-2 logo


Microsoft Partner logo

Red Hat logo