MnemosyneEncryption
Data encryption at rest for Mnemosyne memory stores.
Encryption at rest (AES-256-GCM or equivalent) is not yet implemented in the Mnemosyne constructor. The Memory() class does not accept an encryption_key parameter. This page documents the planned feature. Use filesystem-level encryption in the meantime.
Current Recommendations
Since application-level encryption is not yet available, protect data at rest using:
Filesystem Encryption
# LUKS full-disk encryption (Linux)
cryptsetup luksFormat /dev/sdb1
cryptsetup luksOpen /dev/sdb1 mnemosyne-data
# Mount encrypted volume
mount /dev/mapper/mnemosyne-data /data
Database File Permissions
# Restrict access to database file
chmod 600 /data/mnemosyne.db
chown mnemosyne:mnemosyne /data/mnemosyne.db
Environment Isolation
Run Mnemosyne in isolated environments (containers, VMs) with encrypted storage volumes to prevent unauthorized access to the SQLite database file.
Planned Features
When implemented, encryption is expected to cover:
| Data | Planned | Notes |
|---|---|---|
| Memory content | Yes | All text content |
| Embeddings | No | Vectors not encrypted (performance) |
| Metadata | Partial | Tags, source; timestamps not |
| Semantic triples | Yes | Subject, predicate, object |
Even without application-level encryption, always use filesystem encryption and proper file permissions for production deployments. Memory databases contain sensitive user data and conversation history.