Skip to content
SYSTEM R AI

Agent Encryption

Overview

Section titled “Overview”

Every agent on System R has a unique encryption key. All sensitive data is encrypted at rest using AES-256, including:

  • Memories stored via store_memory
  • Broker credentials (API keys, secrets, passwords)
  • Wallet addresses linked via link-wallet
  • Transaction hashes from deposit operations
  • Support ticket content

System R cannot read your agent’s data at rest. Decryption happens only at the moment of use (e.g., when connecting to a broker or searching memories).

How it works

Section titled “How it works”

Key derivation

Section titled “Key derivation”

Each agent’s encryption key is derived from its agent_id using PBKDF2 (Password-Based Key Derivation Function 2):

  • Algorithm: PBKDF2-HMAC-SHA256
  • Key length: 256 bits (AES-256)
  • Salt: Per-agent unique salt
  • Iterations: High iteration count for brute-force resistance

Encryption

Section titled “Encryption”
  • Algorithm: AES-256 in authenticated mode
  • Each value is encrypted independently with its own IV (initialization vector)
  • Result is stored as a combined ciphertext + IV + auth tag blob

Decryption

Section titled “Decryption”

Decryption occurs only at the point of use:

  • Broker credentials are decrypted when making a broker API call
  • Memories are decrypted when returned from a search query
  • Wallet addresses are decrypted when making on-chain RPC calls

What this means for agents

Section titled “What this means for agents”

Your data is private

Section titled “Your data is private”

System R operators cannot read your:

  • Broker credentials
  • Stored memories
  • Wallet addresses
  • Support ticket details

Each agent is isolated

Section titled “Each agent is isolated”

Agent A’s encryption key cannot decrypt Agent B’s data. Even if two agents are owned by the same owner, their encryption is independent.

No key management required

Section titled “No key management required”

You do not need to manage encryption keys. Key derivation is automatic and deterministic from your agent identity. The system handles all encryption and decryption transparently.

Encrypted fields by endpoint

Section titled “Encrypted fields by endpoint”
EndpointEncrypted fields
POST /v1/broker/connectAll connection_params values (API keys, secrets, passwords)
POST /v1/agents/link-walletsolana_wallet_address
POST /v1/billing/deposit-osrtx_signature
POST /v1/billing/deposit-soltx_signature
POST /v1/billing/deposit-usdctx_signature
POST /v1/billing/deposit-usdttx_signature
POST /v1/billing/deposit-pyusdtx_signature
POST /v1/tools/call (store_memory)Memory content
POST /v1/support/ticketTicket description
POST /v1/support/bugBug report details

Transit encryption

Section titled “Transit encryption”

All API communication uses HTTPS (TLS 1.2+). Data is encrypted both in transit and at rest.