Encryption Hub · Encrypted RAG

Encrypt the knowledge, obfuscate the vectors

Retrieval-augmented generation turns your proprietary knowledge into the agent's. NuDay encrypts that knowledge before it is embedded and obfuscates the vectors themselves, so your RAG store is not a plaintext honeypot.

A vector knowledge store rendered as encrypted, obfuscated points

Vector databases like pgvector and Pinecone are frequently left exposed, a honeypot for source code, enterprise data, and PHI.

The agent retrieves what it needs; an attacker who reaches the store finds nothing readable.

What we protect

Two layers of protection

RAG leaks in two ways: the underlying data, and the vectors that index it. NuDay protects both.

Encrypt the RAG data

The risk

Vector databases are frequently left exposed, acting as a honeypot for unstructured enterprise data, source code, and PHI.

The NuDay standard

NuDay encrypts proprietary data before the embedding model chunks and stores it. Retrieval and decryption happen automatically in real time, governed by the agent's access keys.

Obfuscate the vectors

The risk

Even without the source text, raw embedding vectors can be inverted to reconstruct sensitive content. Plaintext vectors are a leak in their own right.

The NuDay standard

NuDay obfuscates the vectors themselves, so the index stays useful for similarity search while an attacker who reaches it cannot invert the embeddings back into your data.

How it works

Encryption that layers onto your retrieval stack

Without giving up search quality.

1

Encrypt before embedding

Source documents are encrypted before they are chunked and embedded, so plaintext never lands in the ingestion pipeline or the vector store.

2

Obfuscate the index

The embedding vectors are transformed so similarity search still ranks results correctly, while the raw vectors can no longer be inverted back into the content they came from.

3

Decrypt only on retrieval, under keys

When the agent pulls a chunk, it is decrypted just in time under the agent's access keys and used to answer, then discarded. Nothing is left decrypted at rest.

Works with your vector store

NuDay layers over standard vector databases such as pgvector and Pinecone rather than replacing them, so you keep your retrieval stack and add encryption and vector obfuscation on top.

The evidence

Your knowledge base stops being a target

When the RAG store is encrypted and the vectors obfuscated, the thing attackers usually reach for is worthless to them, and your reviewers have a clear answer for where proprietary knowledge lives.

Encrypt before embedding

Data is protected before it ever reaches the embedding model or the vector store.

Retrieval under keys

Decryption is automatic and governed by the agent's access keys, never a standing plaintext copy.

Obfuscated index

Similarity search still works; embedding inversion does not.

Under the hood

Backed by one cryptographic engine

RAG is protected by the same per-record pipeline that secures agent memory and shared memory: checksum, signature, authenticated encryption under a per-record key, and an independent MAC. Native, zero-config, and near-zero overhead.

See how the encryption works

See it in your stack

See encrypted RAG in your stack.

Bring your pilot and your reviewers. We will show how your knowledge base is encrypted, how the vectors are obfuscated, and the evidence your teams receive.