Summary
The current implementation stores memories in plaintext within the /memory directory or database. As agents handle increasingly sensitive user data (API keys, personal notes, PII), storing this unencrypted poses a significant risk if the host environment is compromised or if logs are inadvertently shared.
Proposal
Implement an optional encryption layer for stored memories using a user-provided passphrase or key file (e.g., ~/.secrets/memory.key). This would ensure that:
- Memory files on disk are encrypted at rest.
- Only the active agent session can decrypt and access them.
- Unauthorized access to the file system does not expose historical context.
Technical Approach
- Introduce
encryption: boolean and keyPath: string to the configuration.
- Utilize
AES-256-GCM for authenticated encryption of memory blobs before write.
- Decrypt only on load/search operations.
This aligns with OpenClaw's security-first principles for production deployments.
Summary
The current implementation stores memories in plaintext within the
/memorydirectory or database. As agents handle increasingly sensitive user data (API keys, personal notes, PII), storing this unencrypted poses a significant risk if the host environment is compromised or if logs are inadvertently shared.Proposal
Implement an optional encryption layer for stored memories using a user-provided passphrase or key file (e.g.,
~/.secrets/memory.key). This would ensure that:Technical Approach
encryption: booleanandkeyPath: stringto the configuration.AES-256-GCMfor authenticated encryption of memory blobs before write.This aligns with OpenClaw's security-first principles for production deployments.