# Security
URL: /docs/framework/security
Source: /app/src/content/docs/framework/security.mdx

import { DocImage } from '@/components/DocImage';

<DocImage title="Security" />

**Field-level encryption for protecting sensitive data in your Astreus agents**

## Overview

Astreus includes built-in **AES-256-GCM encryption** to protect sensitive data stored in your database. This feature provides transparent field-level encryption for conversations, system prompts, task data, and knowledge base content.

## Quick Setup

### 1. Generate Encryption Key

```bash
# Generate a cryptographically secure 256-bit key
openssl rand -hex 32
```

### 2. Configure Environment

```bash
# Enable encryption
ENCRYPTION_ENABLED=true

# Your secure master key (keep this secret!)
ENCRYPTION_MASTER_KEY=your-256-bit-encryption-key-here

# Optional: specify algorithm (default: aes-256-gcm)
ENCRYPTION_ALGORITHM=aes-256-gcm
```

### 3. Use Normally

```javascript
import { Agent } from '@astreus-ai/astreus';

// Create agent with sensitive system prompt
const agent = await Agent.create({
  name: 'SecureAgent',
  systemPrompt: 'Your confidential business logic here', // ← Automatically encrypted
  memory: true,
  knowledge: true
});

// All interactions automatically encrypted
const response = await agent.ask('Sensitive question here');

// Knowledge uploads automatically encrypted
await agent.knowledge.addDocument(
  'Confidential Document', 
  'Sensitive content here' // ← Automatically encrypted
);
```

## Key Management

### Master Key Requirements

* **Minimum Length**: 32 characters (256 bits)
* **Generation**: Use cryptographically secure random generators
* **Storage**: Store securely outside of codebase
* **Rotation**: Plan for periodic key rotation