Disk Encryption

Your AI agent's memory contains sensitive information — conversations, decisions, credentials references, business logic. If someone gains physical access to the host machine, all that data is exposed unless it's encrypted at rest. UAML's Disk Encryption feature ensures your agent data is protected even if the hardware is compromised.

Instead of requiring full-disk encryption (which may already be in place or impractical to retrofit), UAML creates a dedicated encrypted virtual disk specifically for agent data. This gives you targeted encryption with minimal overhead and independent key management.

How It Works

🪟 BitLocker VHD (Windows)

UAML creates a Virtual Hard Disk (VHD) file, formats it with NTFS, and encrypts it using BitLocker with XTS-AES-256 encryption. The UAML data directory is mounted inside this VHD. The disk auto-mounts at agent startup and auto-locks when the agent stops. All memory, embeddings, and session data live inside the encrypted volume.

🐧 LUKS (Linux)

On Linux, UAML creates a LUKS2-encrypted container file using cryptsetup. The container uses AES-256-XTS with argon2id key derivation. It's mounted as a loop device at the UAML data path. The same auto-mount/auto-lock lifecycle applies — your data is encrypted whenever the agent isn't running.

Virtual Disk for UAML Data

The virtual disk approach has significant advantages over full-disk encryption. It's portable — you can back up the encrypted VHD/LUKS file and restore it on another machine. It's isolated — UAML encryption doesn't interfere with your system's own encryption setup. And it's targeted — only agent data is encrypted, so there's no performance impact on other applications.

The virtual disk is sized dynamically based on your agent's data volume. A typical agent starts with a 1 GB volume that grows as needed. Maximum size is configurable, and UAML monitors disk usage to warn you before you approach the limit.

# Windows: BitLocker VHD creation (auto-generated by UAML)

# Create VHD
New-VHD -Path "C:\Users\user\.uaml\vault.vhdx" `
        -SizeBytes 2GB -Dynamic

# Mount and format
Mount-VHD -Path "C:\Users\user\.uaml\vault.vhdx"
Initialize-Disk -Number 1 -PartitionStyle GPT
New-Partition -DiskNumber 1 -UseMaximumSize -DriveLetter U
Format-Volume -DriveLetter U -FileSystem NTFS -NewFileSystemLabel "UAML"

# Enable BitLocker with XTS-AES-256
Enable-BitLocker -MountPoint "U:" `
    -EncryptionMethod XtsAes256 `
    -RecoveryKeyPath "C:\Users\user\.uaml\recovery"
            

Recovery Key Management

Losing access to your encrypted data would be catastrophic, so UAML takes recovery seriously. When encryption is set up, a recovery key is generated and displayed once. You're prompted to save it in a secure location — a password manager, a printed copy, or a separate encrypted storage.

UAML never stores the recovery key alongside the encrypted data. The key and the vault are always separate. For enterprise deployments, recovery keys can be escrowed to Active Directory or a designated key management service, ensuring that IT administrators can recover data if an employee leaves or a machine fails.

Encryption at a Glance

Algorithm — XTS-AES-256 (NIST approved, hardware-accelerated on modern CPUs)
Key derivation — Argon2id (LUKS) / TPM-backed (BitLocker)
Auto-mount — encrypted volume mounts when the agent starts
Auto-lock — volume locks when the agent stops or system sleeps
Portable — encrypted container can be backed up and moved
Independent — works alongside existing full-disk encryption