Proposal: Secure Memory Encryption for Sensitive Context

[Protocol-zero-0]

Summary

The current implementation stores memories in plaintext within the /memory directory or database. As agents handle increasingly sensitive user data (API keys, personal notes, PII), storing this unencrypted poses a significant risk if the host environment is compromised or if logs are inadvertently shared.

Proposal

Implement an optional encryption layer for stored memories using a user-provided passphrase or key file (e.g., ~/.secrets/memory.key). This would ensure that:

1. Memory files on disk are encrypted at rest.
2. Only the active agent session can decrypt and access them.
3. Unauthorized access to the file system does not expose historical context.

Technical Approach

• Introduce encryption: boolean and keyPath: string to the configuration.
• Utilize AES-256-GCM for authenticated encryption of memory blobs before write.
• Decrypt only on load/search operations.

This aligns with OpenClaw's security-first principles for production deployments.