← Back to Docs
Security Model
How AVP protects your AI agent credentials at every layer
Security Philosophy
AVP follows a defense-in-depth approach with multiple layers of protection:
- Encryption at Rest - Credentials are always encrypted when stored
- Workspace Isolation - Secrets cannot cross workspace boundaries
- Session Management - Time-limited access with explicit authentication
- Memory Protection - Secrets are handled carefully to minimize exposure
- Hardware Security - Optional HSM support for maximum protection
Encryption
File Backend Encryption
The file backend uses industry-standard cryptography:
- Algorithm: Fernet (AES-128-CBC + HMAC-SHA256)
- Key Derivation: PBKDF2-HMAC-SHA256
- Iterations: 480,000 (OWASP 2023 recommendation)
- Salt: 16 bytes, unique per vault
# Key derivation process
key = PBKDF2(
password=user_password,
salt=random_16_bytes,
iterations=480000,
hash=SHA256
)
# Encryption
ciphertext = Fernet(key).encrypt(plaintext)
Keychain Backend
Leverages OS-provided security infrastructure:
- macOS: Keychain Services with Secure Enclave support
- Windows: Credential Manager with DPAPI encryption
- Linux: Secret Service API (GNOME Keyring, KWallet)
Keys are protected by the OS and may require biometric authentication.
Hardware Backend (NexusClaw)
Maximum security with FIPS 140-3 Level 3 certified hardware:
- Key Storage: Keys never leave the secure element
- Encryption: AES-256-GCM performed on-device
- Signing: ECDSA P-256 with hardware-protected keys
- Attestation: Cryptographic proof of genuine hardware
Threat Model
AVP is designed to protect against these threats:
| Threat |
Protection |
Backend |
| Plaintext credential exposure |
All credentials encrypted at rest |
All |
| Cross-agent credential leakage |
Workspace isolation boundaries |
All |
| Brute force password attacks |
480K PBKDF2 iterations |
File |
| Memory scraping |
Secure memory handling, minimal plaintext time |
All |
| Disk forensics |
Strong encryption, no plaintext on disk |
File, Keychain |
| Key extraction attacks |
Keys never leave hardware |
Hardware |
| Replay attacks |
Session tokens with expiration |
All |
Session Security
Session Properties
- Random IDs: 128-bit cryptographically random session identifiers
- Time-Limited: Sessions expire after configurable TTL (default: 1 hour)
- Workspace-Bound: A session can only access secrets in its workspace
- Revocable: Sessions can be explicitly terminated
# Session creation with TTL
session = client.authenticate(
workspace="production",
ttl_seconds=3600 # 1 hour
)
# Session expires automatically after TTL
# Or can be terminated explicitly
client.terminate(session.session_id)
Memory Protection
AVP implementations follow these guidelines for handling secrets in memory:
- Minimize Exposure: Secrets are decrypted only when needed
- Secure Clearing: Memory is overwritten before deallocation (where language allows)
- No Logging: Secret values are never written to logs or debug output
- No Temp Files: Secrets are never written to temporary files
Language Limitations: Some languages (Python, JavaScript) have garbage collection that makes secure memory clearing difficult. For maximum memory protection, use the Rust SDK or hardware backend.
Best Practices
Recommended Security Configuration
- Development: Use file backend with a strong password
- Staging: Use keychain backend for OS-level protection
- Production: Use hardware backend (NexusClaw) for maximum security
Password Requirements
For file backend, use passwords that are:
- At least 16 characters long
- Generated randomly (use
avp generate-password)
- Stored securely (not in source code or environment variables)
Workspace Organization
- Use separate workspaces for different environments (dev/staging/prod)
- Use separate workspaces for different agents in multi-agent systems
- Never share workspace credentials between unrelated systems
Compliance
AVP's security model supports compliance with:
- SOC 2: Encryption at rest, access controls, audit logging
- GDPR: Data protection, secure storage
- PCI DSS: Strong cryptography, key management (with hardware backend)
- HIPAA: Encryption, access controls (with appropriate configuration)
Note: Compliance depends on your overall system architecture. AVP provides the building blocks, but you must ensure proper configuration and operational practices.
Security Reporting
Found a security vulnerability? Please report it responsibly:
- Email: security@avp-protocol.org
- Do not disclose publicly until we've had a chance to address it
- We aim to respond within 48 hours