Skip to content

Add encryption support using cryptography to Sessions implementation #1674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Sep 17, 2025
Merged

Add encryption support using cryptography to Sessions implementation #1674

merged 8 commits into from
Sep 17, 2025
+726 −17

Conversation

maxmekiska
Copy link
Contributor

@maxmekiska maxmekiska commented Sep 6, 2025
edited
Loading

EncryptedSession

This PR adds EncryptedSession, a wrapper that provides transparent encryption for any session implementation with TTL-based message expiration.

Key Features

  • Per session key derivation: Uses HKDF with session ID as salt for cryptographic isolation.
  • TTL-based expiration: Messages automatically expire and are silently skipped during retrieval.
  • Transparent encryption: Drop in wrapper for existing sessions (SQLiteSession, SQLAlchemySession).
  • Auto-retry pop: pop_item() automatically skips expired items to find valid ones.

Usage

from agents.extensions.memory import EncryptedSession
from agents.extensions.memory import SQLiteSession

# Wrap any existing session
session = EncryptedSession(
    session_id="user-123",
    underlying_session=SQLiteSession("user-123"),
    encryption_key="your-key",
    ttl=600
)

await Runner.run(agent, "Hello", session=session)

Implementation Details

  • Uses Fernet encryption with per-message TTL validation.
  • Conversation history remains fully functional while being stored encrypted, with automatic expiration of old messages.

@maxmekiska maxmekiska marked this pull request as ready for review September 6, 2025 14:53
edmondtam1
edmondtam1 reviewed Sep 6, 2025
View reviewed changes
Copy link

@edmondtam1 edmondtam1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Brilliant!

@seratch seratch added enhancement New feature or request feature:sessions labels Sep 8, 2025
seratch
seratch requested changes Sep 8, 2025
View reviewed changes
@seratch seratch changed the title Encrypt sessions Add encryption support using cryptography to Sessions implementation Sep 8, 2025
@seratch seratch requested review from rm-openai and seratch September 8, 2025 05:30
@seratch
Copy link
Member

seratch commented Sep 8, 2025

@rm-openai Overall, this enhancement looks good to me (except the env name). Do you have any suggestions or concerns?

habema
habema reviewed Sep 8, 2025
View reviewed changes
@rm-openai
Copy link
Collaborator

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Sep 8, 2025
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codex Review: Here are some suggestions.

Reply with @codex fix comments to fix any unresolved comments.

About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you open a pull request for review, mark a draft as ready, or comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex fix this CI failure" or "@codex address that feedback".

@maxmekiska
Copy link
Contributor Author

@rm-openai Overall, this enhancement looks good to me (except the env name). Do you have any suggestions or concerns?

Thanks for the review! I removed the environment variable logic and left it up to the user to decide how to provide the encryption key.

@maxmekiska
Copy link
Contributor Author

maxmekiska commented Sep 8, 2025
edited
Loading

Update

I believe I've resolved the CI issue. The problem was that cryptography wasn't properly included in the uv.lock file when UV_FROZEN=1 was set, causing import failures in tests and type checking.

Solution

  1. Added cryptography to the lock file via uv add --optional encrypt cryptography
  2. Removed the redundant types-cryptography dependency (cryptography ships with built-in types since v3.4+)
  3. Updated the lock file to include the missing dependency for the CI environment

The CI should now pass since UV_FROZEN=1 will use the updated lock file that includes cryptography.

@maxmekiska
Copy link
Contributor Author

Cleaned commit history.

@seratch
Copy link
Member

seratch commented Sep 12, 2025

Can you fix the following error with Python 3.9?

2025-09-12T06:36:50.3297600Z ==================================== ERRORS ====================================
2025-09-12T06:36:50.3298323Z _______ ERROR collecting tests/extensions/memory/test_encrypt_session.py _______
2025-09-12T06:36:50.3299644Z ImportError while importing test module '/home/runner/work/openai-agents-python/openai-agents-python/tests/extensions/memory/test_encrypt_session.py'.
2025-09-12T06:36:50.3301101Z Hint: make sure your test modules/packages have valid Python names.
2025-09-12T06:36:50.3301588Z Traceback:
2025-09-12T06:36:50.3302231Z ../../../.local/share/uv/python/cpython-3.9.23-linux-x86_64-gnu/lib/python3.9/importlib/__init__.py:127: in import_module
2025-09-12T06:36:50.3303105Z     return _bootstrap._gcd_import(name[level:], package, level)
2025-09-12T06:36:50.3303726Z tests/extensions/memory/test_encrypt_session.py:14: in <module>
2025-09-12T06:36:50.3304409Z     from agents.extensions.memory.encrypt_session import EncryptedSession
2025-09-12T06:36:50.3305079Z src/agents/extensions/memory/encrypt_session.py:32: in <module>
2025-09-12T06:36:50.3305659Z     from typing import Any, Literal, TypedDict, TypeGuard, cast
2025-09-12T06:36:50.3306632Z E   ImportError: cannot import name 'TypeGuard' from 'typing' (/home/runner/.local/share/uv/python/cpython-3.9.23-linux-x86_64-gnu/lib/python3.9/typing.py)
2025-09-12T06:36:50.3307570Z =========================== short test summary info ============================
2025-09-12T06:36:50.3308049Z ERROR tests/extensions/memory/test_encrypt_session.py
2025-09-12T06:36:50.3308558Z !!!!!!!!!!!!!!!!!!!! Interrupted: 1 error during collection !!!!!!!!!!!!!!!!!!!!
2025-09-12T06:36:50.3309031Z =============================== 1 error in 4.59s ===============================
2025-09-12T06:36:50.6243452Z make: *** [Makefile:44: old_version_tests] Error 2
2025-09-12T06:36:50.6259143Z ##[error]Process completed with exit code 2.

@maxmekiska
Copy link
Contributor Author

Can you fix the following error with Python 3.9?

2025-09-12T06:36:50.3297600Z ==================================== ERRORS ====================================
2025-09-12T06:36:50.3298323Z _______ ERROR collecting tests/extensions/memory/test_encrypt_session.py _______
2025-09-12T06:36:50.3299644Z ImportError while importing test module '/home/runner/work/openai-agents-python/openai-agents-python/tests/extensions/memory/test_encrypt_session.py'.
2025-09-12T06:36:50.3301101Z Hint: make sure your test modules/packages have valid Python names.
2025-09-12T06:36:50.3301588Z Traceback:
2025-09-12T06:36:50.3302231Z ../../../.local/share/uv/python/cpython-3.9.23-linux-x86_64-gnu/lib/python3.9/importlib/__init__.py:127: in import_module
2025-09-12T06:36:50.3303105Z     return _bootstrap._gcd_import(name[level:], package, level)
2025-09-12T06:36:50.3303726Z tests/extensions/memory/test_encrypt_session.py:14: in <module>
2025-09-12T06:36:50.3304409Z     from agents.extensions.memory.encrypt_session import EncryptedSession
2025-09-12T06:36:50.3305079Z src/agents/extensions/memory/encrypt_session.py:32: in <module>
2025-09-12T06:36:50.3305659Z     from typing import Any, Literal, TypedDict, TypeGuard, cast
2025-09-12T06:36:50.3306632Z E   ImportError: cannot import name 'TypeGuard' from 'typing' (/home/runner/.local/share/uv/python/cpython-3.9.23-linux-x86_64-gnu/lib/python3.9/typing.py)
2025-09-12T06:36:50.3307570Z =========================== short test summary info ============================
2025-09-12T06:36:50.3308049Z ERROR tests/extensions/memory/test_encrypt_session.py
2025-09-12T06:36:50.3308558Z !!!!!!!!!!!!!!!!!!!! Interrupted: 1 error during collection !!!!!!!!!!!!!!!!!!!!
2025-09-12T06:36:50.3309031Z =============================== 1 error in 4.59s ===============================
2025-09-12T06:36:50.6243452Z make: *** [Makefile:44: old_version_tests] Error 2
2025-09-12T06:36:50.6259143Z ##[error]Process completed with exit code 2.

Thanks, this should pass now.

split type imports between typing and typing_extensions:

from typing_extensions import Literal, TypedDict, TypeGuard
from typing import Any, cast

@maxmekiska
Copy link
Contributor Author

@seratch I have implemented all the suggestions, and tests are now passing. Could you take a final look and let me know if you have any further suggestions. Thanks!

@seratch seratch merged commit 85d7d5d into openai:main Sep 17, 2025
5 checks passed
@maxmekiska maxmekiska mentioned this pull request Oct 8, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@seratch seratch seratch approved these changes

@rm-openai rm-openai Awaiting requested review from rm-openai

+2 more reviewers

@edmondtam1 edmondtam1 edmondtam1 left review comments

@habema habema habema left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

enhancement New feature or request feature:sessions

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@maxmekiska @seratch @rm-openai @edmondtam1 @habema