Encryption Hub

Encrypt what your agents remember, retrieve, and share

NuDay encrypts the agent's entire data surface: its memory, its RAG knowledge, and the context agents pass to each other. It is native to the platform, so there is nothing to configure.

Stacked agent data layers, each sealed by encryption, under one master lock

Most agent frameworks persist memory, knowledge, and shared context as plaintext. NuDay makes every record its own encrypted, signed, tamper-evident domain.

Breach the infrastructure, and what you get is ciphertext, not our customers' business.

Sovereignty

The model stays yours

To achieve truly sovereign AI, you run your LLM locally. NuDay secures every other aspect of the agent and everything around the model, and for the highest assurance you keep the model itself in your walls, on-prem or air-gapped. Your data and your reasoning never leave.

See Sovereign AI and Air-Gapped AI

How it runs

Native, fast, standards-based

Strong encryption usually means configuration, latency, and trade-offs. NuDay's does not.

Native and zero-config

Encryption is built into the platform and on by default. Your team configures nothing to get it.

Near-zero overhead

NIST-approved algorithms with native hardware acceleration (AES-NI) in every modern processor, so performance stays high.

Your keys, your choice

Bring your own keys on SaaS or hybrid deployments. On-prem keeps your keys entirely in-house.

Under the hood

One cryptographic engine behind all three

Memory, RAG, and shared memory are protected by the same pipeline: every record gets a plaintext checksum, a signature, authenticated encryption under a per-record key, and an independent MAC before it is stored.

  1. Agent Action

    reply, memory, or tool call

    It starts with the agent.

    A reply is generated, a memory saved, a tool called, producing a fresh checkpoint of state.

  2. Agent config validated

    Signed config verified before every turn.

  3. 01

    CHK2 checksum

    plaintext integrity

    Detect corruption.

    A digest of the plaintext rides in a versioned header and is re-verified after every decrypt.

  4. 02

    SIG1 signature

    classical or post-quantum

    Prove authorship.

    Classical DSA or post-quantum ML-DSA (Dilithium), per tenant. Going PQ is a config switch.

  5. 03

    AES-GCM encrypt

    epoch-derived key

    Seal the record.

    Authenticated encryption under a key unique to this checkpoint: epoch root key, XOR version chain.

  6. Automatic key rotation

    Fresh root keys arrive on whatever schedule you set.

  7. 04

    HMAC + headers

    MAC over payload + epoch

    Verify independently.

    A keyed MAC over payload + epoch adds a second integrity layer with an independent key.

  8. 05

    Store sealed blob

    written to state database

    Nothing readable at rest.

    A stolen database yields only ciphertext; tampering is caught on load and alerts fire immediately.

  9. State database

    every message its own encrypted, signed, tamper-evident record

Layer-by-layer cryptographic breakdown for technical readers

Future-proofed

Post-quantum cryptography and native crypto-agility

The threat landscape is shifting toward "harvest now, decrypt later": actors steal encrypted data today to break it with tomorrow's quantum computers. NuDay secures your infrastructure against both.

Post-quantum cryptography

We natively support NIST-approved post-quantum algorithms (such as ML-KEM and ML-DSA), so your agent's memory, RAG stores, and A2A communications stay resistant to quantum decryption.

Native crypto-agility

As standards evolve, your security team can hot-swap encryption libraries and key-management protocols with zero downtime, without rewriting a line of agent code.

See it for yourself

See what NuDay encrypts, and what review gets.

Bring your pilot and your reviewers. We will walk through exactly what is encrypted and the evidence your security and audit teams receive.