Is data encrypted during model inference?

Data is encrypted in transit to and from the model provider using TLS. During inference, the data is decrypted in the provider's secure environment. RunTheAgent does not store data on the model provider's side after inference completes.

What encryption algorithm is used at rest?

AES-256 in GCM mode is the default encryption algorithm for data at rest. This provides both confidentiality and integrity protection. The algorithm meets the requirements of all major compliance frameworks.

Can I bring my own encryption key?

Yes. The BYOK option lets you provide and manage your own encryption key through a supported key management service. This gives you full control over the key lifecycle, including rotation and revocation.

Security

Data Encryption: In Transit and At Rest

Ensure all data flowing through and stored by your OpenClaw agent is encrypted using industry-standard protocols.

Deploy OpenClaw See How It Works

What You Will Get

By the end of this guide, you will have verified and configured encryption for all data that your OpenClaw agent handles. Data in transit will be protected by TLS, and data at rest will be encrypted using AES-256 or equivalent. No sensitive information will be stored or transmitted in plain text.

Encryption is a non-negotiable security requirement. Even if an attacker gains access to network traffic or storage, encrypted data remains unreadable without the decryption keys. This protects user conversations, knowledge base content, API keys, and all other sensitive information.

You will verify TLS configuration, enable encryption at rest, manage encryption keys, and test that encryption is active at every layer. The result is a deployment where data is protected from end to end.

Step-by-Step Setup

Follow these steps to configure comprehensive data encryption.

Verify TLS for All Connections

Open the Security tab and check the TLS status panel. All connections to and from your agent should show TLS 1.2 or higher. If any connection uses plain HTTP, the panel will flag it. Fix flagged connections by updating the endpoint URL to use HTTPS or configuring TLS on the target server.

Enable Encryption at Rest

Navigate to the Encryption settings and enable encryption at rest for all data stores. This encrypts conversation history, knowledge base documents, agent configuration, and backups. The system uses AES-256 encryption, which is an industry standard for protecting stored data.

Configure Key Management

Review the encryption key management settings. By default, RunTheAgent manages encryption keys on your behalf. For enhanced security, you can bring your own key (BYOK), which gives you full control over the encryption key lifecycle. BYOK requires setting up a key management service.

Encrypt Knowledge Base Documents

Verify that uploaded documents are encrypted immediately upon ingestion. The knowledge base settings show the encryption status of each document. Documents uploaded before encryption was enabled should be re-encrypted by running the encryption migration from the Security panel.

Secure Webhook Payloads

Configure payload encryption for webhooks that carry sensitive data. Enable the encryption option in the webhook settings to add an encryption layer on top of TLS. The receiving service uses a shared encryption key to decrypt the payload. This protects against scenarios where TLS termination happens at a proxy.

Verify Channel Encryption

Check each connected channel's encryption status. Most channels use TLS by default, but verify this in the Channels panel. For channels that support end-to-end encryption, enable it if available. Document which channels provide end-to-end encryption and which only provide transport encryption.

Run an Encryption Audit

Use the Security Audit tool in the dashboard to scan your entire agent setup for unencrypted data paths. The audit checks every connection, data store, and integration. Fix any issues flagged by the audit, then re-run it to confirm everything is encrypted.

Tips and Best Practices

Enforce TLS 1.3 Where Possible

TLS 1.3 is faster and more secure than TLS 1.2. Configure your agent to prefer TLS 1.3 for all connections. Fall back to TLS 1.2 only for services that do not yet support the newer version.

Rotate Encryption Keys Annually

Even with strong encryption, key rotation limits exposure. Schedule annual key rotation and re-encrypt data with the new key. RunTheAgent handles re-encryption transparently during the rotation process.

Do Not Disable Certificate Verification

Never disable TLS certificate verification, even in development. Disabling it allows man-in-the-middle attacks. If you need to connect to a service with a self-signed certificate, import the certificate explicitly.

Encrypt Backups Separately

Even though your data at rest is encrypted, exported backups should have their own encryption layer. This protects backups when they are stored outside the platform or transferred between systems.

Frequently Asked Questions

Secret Management Network Security Compliance Frameworks

Ready to get started?

Deploy your own OpenClaw instance in under 60 seconds. No VPS, no Docker, no SSH. Just your personal AI assistant, ready to work.

Deploy OpenClaw View Pricing

Starting at $24.50/mo. Everything included. 3-day money-back guarantee.