LineageCrypt logo

LineageCrypt

Application-Specific Cryptographic Agent

LineageCrypt is a cryptographic agent that acts on behalf of every protected application — and every AI agent. It performs the cryptographic operations the application would otherwise perform itself, with each action cryptographically attributable to that specific application. Each application can own and exercise its own private cryptographic identity — a level of individuation that, until now, only hardware devices have truly had.

How it works
Tap to enlargeLineageCrypt versus a conventional cloud HSM, compared across authority model, operation mode, and private-key ownership.
Unlike a conventional cloud HSM, LineageCrypt grants authority through cooperative lineage to the verified application itself — so each application owns its private key, and no other process, not even root, can exercise it.

A different authority model

A conventional HSM grants authority by verifying credentials an application presents, then passively executes the primitives it requests — a shared engine many callers invoke. LineageCrypt grants authority through cooperative interactions between its Authorization Principal and its Key Server, conducted on behalf of one specific application along a lineage of state pairs, then actively performs the cryptographic work and advances that lineage as part of the same operation.

The practical consequence: an application owns its private cryptographic identity rather than merely holding a key. The material is held in a certified secure element, and the capability is structurally bound to the application’s verifiable execution identity. No other process — not even one with root on the same host — can exercise it.

Cryptographic operations performed on the application’s behalf

  • Per-application signing — anchored to the application’s individuated identity, not the host or user.
  • Mutual authentication between applications — each proves its identity through LineageCrypt; neither manages certificates.
  • Session-key establishment — fresh keys bound to both identities, with full lifecycle handling.
  • Encryption & decryption of traffic — bound to application identity, regardless of network trust.
  • Certificate & identity verification — against a single BicDroid trust anchor.
  • Standard operations on request — via PKCS#11, KMIP, Microsoft CNG, Java JCE, and Go’s crypto package, with per-application binding applied automatically.

Problems LineageCrypt solves

Microservice authenticationPer-service identity that cannot impersonate peers even after compromise.
Cryptographic identity for AI agentsEach agent registered by its model, tools, configuration, and execution context.
Per-application boundaries for regulated workloadsOne independent identity per application — the granularity regulators expect.
Hardening existing apps without rewritesExisting crypto API calls are routed through LineageCrypt transparently.

Built for the AI agent era

Autonomous agents take consequential actions that increasingly require cryptographic attribution — signing transactions, authenticating to tools, proving provenance, attesting to their own configuration. LineageCrypt registers each agent as a protected application with its own cryptographic agent, and every action it signs is attributable to that specific agent configuration, distinct from every other agent in the deployment. As per-agent cryptographic identity becomes a standard requirement, LineageCrypt is positioned to be the cryptographic infrastructure layer of the AI agent era.

How it fits your infrastructure

LineageCrypt has two components: an Authorization Principal that runs alongside the protected applications (as a kernel module, linked library, or side-car), and a Key Server holding the certified secure element. The Key Server can be operated by BicDroid as a managed service, by the customer, or in a hybrid configuration. Applications already using standard cryptographic interfaces adopt LineageCrypt with no cryptographic code changes; applications that cannot be modified are protected transparently at the socket layer by LightNet.

The BicDroid family

Each product enforces its guarantee without depending on perimeter trust, host integrity, or the correct behaviour of the software it protects. Deploy one, or combine them for the complete cryptographic lifecycle.

PACSACQDocSEBIACSLightNet
Talk to BicDroid

A cryptographic agent for every application.

Give each application and AI agent a private identity it owns — provable, attributable, and impossible to exercise from anywhere else.

Talk to us →Contact details