Privacy Guide
AgentZero provides layered privacy controls: from simple one-line modes to per-agent, per-tool, and per-channel boundaries. All privacy features are behind the privacy Cargo feature flag.
Quick Start
Section titled “Quick Start”Add one line to your agentzero.toml:
[privacy]mode = "private" # Blocks network tools, encrypts transport, allows explicit cloud providersThat’s it. AgentZero will:
- Block all outbound network tools (web_search, http_request, web_fetch, composio, TTS, image/video gen)
- Auto-enable Noise Protocol encryption and key rotation
- Allow cloud AI providers (Anthropic, OpenAI, etc.) that you explicitly configure
- Set per-agent boundary default to
encrypted_only
For fully offline operation, use mode = "local_only" instead.
Privacy Modes
Section titled “Privacy Modes”| Mode | Cloud Providers | Network Tools | Encryption | Sealed Envelopes | Key Rotation |
|---|---|---|---|---|---|
off | Allowed | Allowed | No | No | No |
private | Allowed (explicit) | Blocked | Noise Protocol | No | Auto |
local_only | Blocked | Blocked | No | No | No |
encrypted | Allowed | Allowed | Noise Protocol | No | Auto |
full | Allowed | Allowed | Noise Protocol | Yes | Auto |
off (default)
Section titled “off (default)”No privacy restrictions. All providers and tools work normally.
private
Section titled “private”Privacy-first mode designed for agentzero-lite and edge deployments. Blocks agent-initiated network tools while allowing explicitly-configured cloud AI providers:
- Network tools are disabled (web_search, http_request, web_fetch, composio, TTS, image/video gen, domain tools)
- Cloud providers work when explicitly configured in TOML (Anthropic, OpenAI, etc.)
- Noise Protocol and key rotation are auto-enabled
- Per-agent boundary defaults to
encrypted_only - URL access is not restricted (so cloud provider API calls still work)
This is the default mode for agentzero-lite. Use --privacy-mode off to revert.
local_only
Section titled “local_only”The strictest mode. Ensures no data leaves your machine:
- Only local providers are allowed (ollama, llamacpp, lmstudio, vllm, sglang, osaurus, whispercpp)
- Network tools are disabled (web_search, http_request, web_fetch, composio)
- WASM plugins have network access revoked
- Provider base URLs must be localhost
- URL access restricted to localhost only
encrypted
Section titled “encrypted”All communication with the gateway is encrypted using the Noise Protocol (XX handshake, X25519_ChaChaPoly_BLAKE2s). Cloud providers are allowed because traffic is protected in transit. Key rotation runs automatically. Network tools remain available.
Everything in encrypted plus sealed envelope support for zero-knowledge routing. The gateway can relay encrypted messages without reading their content.
agentzero-lite: Privacy-First by Default
Section titled “agentzero-lite: Privacy-First by Default”The agentzero-lite binary defaults to mode = "private". This means:
- No config needed — just run
agentzero-liteand it starts with privacy protections - Noise Protocol and key rotation are active from the first request
- Tighter rate limits (120 req/min vs 600 default) for single-user edge devices
--privacy-mode offreverts to standard behavior--privacy-mode local_onlyfor fully offline operation
# Default: private mode (blocks network tools, encrypts transport)agentzero-lite
# Fully offline (blocks cloud providers too)agentzero-lite --privacy-mode local_only
# No restrictionsagentzero-lite --privacy-mode offPer-Component Privacy Boundaries
Section titled “Per-Component Privacy Boundaries”For fine-grained control, assign privacy boundaries to individual agents, tools, and channels.
Agent Boundaries
Section titled “Agent Boundaries”[agents.research]provider = "anthropic"model = "claude-sonnet-4-6"privacy_boundary = "encrypted_only" # Must use encrypted transport
[agents.local-draft]provider = "ollama"model = "llama3"privacy_boundary = "local_only" # No network access at allBoundary values: inherit (use parent/global), local_only, encrypted_only, any.
Rule: A child boundary can never be more permissive than its parent. If the global mode is local_only, an agent can’t have privacy_boundary = "any" (config validation will reject it).
Tool Boundaries
Section titled “Tool Boundaries”[security.tool_boundaries]shell = "local_only" # Shell can't make network callsweb_search = "any" # Web search allowed everywherehttp_request = "encrypted_only" # HTTP only through encrypted transportProvider Restrictions
Section titled “Provider Restrictions”[agents.research]provider = "anthropic"model = "claude-sonnet-4-6"allowed_providers = ["anthropic", "openrouter"] # Only these providersblocked_providers = ["openai"] # Never use OpenAINoise Protocol Encryption
Section titled “Noise Protocol Encryption”When mode = "encrypted" or mode = "full", the gateway uses the Noise Protocol for end-to-end encryption.
Handshake patterns: XX (mutual authentication) and IK (known server key, faster reconnection) Cipher suite: X25519_ChaChaPoly_BLAKE2s
How It Works
Section titled “How It Works”XX pattern (first connection):
- Client calls
GET /v1/privacy/infoto discover gateway capabilities and supported patterns - Client initiates XX handshake via
POST /v1/noise/handshake/step1 - Server responds with its ephemeral + static keys
- Client completes handshake via
POST /v1/noise/handshake/step2 - Server returns a session ID
- All subsequent requests use
X-Noise-Session: <id>with encrypted bodies
IK pattern (reconnection with cached server key):
- Client sends a single
POST /v1/noise/handshake/ikwith client message + cached server public key - Server completes handshake in one round-trip and returns a session ID
- The
auto_noise_handshake()helper selects IK when a cached server key is available, falling back to XX otherwise
Configuration
Section titled “Configuration”[privacy.noise]enabled = truehandshake_pattern = "XX" # XX (mutual auth) or IK (known server key)session_timeout_secs = 3600 # Sessions expire after 1 hourmax_sessions = 1000 # Maximum concurrent sessionsNote:
privacy.mode = "encrypted"requiresprivacy.noise.enabled = true. Config validation will reject the combination of encrypted mode with noise disabled.
Memory Privacy Boundaries
Section titled “Memory Privacy Boundaries”Memory entries are tagged with the effective privacy boundary and source channel when stored. This ensures that agents with different boundaries see isolated conversation histories even when sharing the same memory backend.
- Each
MemoryEntrycarriesprivacy_boundary(e.g.,"local_only","encrypted_only") andsource_channel(e.g.,"telegram","cli") recent_for_boundary()filters entries so an agent only sees entries matching its boundary- Empty boundary entries are visible to all agents (backward-compatible default)
- SQLite databases are automatically migrated to include the new columns
Channel Privacy
Section titled “Channel Privacy”Each channel can have its own privacy boundary:
[channels_config]default_privacy_boundary = "encrypted_only" # Global default for all channels
[channels.telegram]privacy_boundary = "encrypted_only"
[channels.cli]privacy_boundary = "local_only" # CLI stays localChannel dispatch enforces boundaries: messages with local_only boundary are blocked from being sent to non-local channels (Telegram, Discord, Slack, etc.). Only cli and transcription are considered local channels.
Privacy Test Command
Section titled “Privacy Test Command”Validate your privacy configuration with the built-in diagnostic tool:
agentzero privacy test # Human-readable outputagentzero privacy test --json # Machine-readable JSONRuns 8 checks: config validation, boundary resolution, memory isolation, sealed envelope round-trip, Noise XX/IK handshakes, channel locality, and encrypted store round-trip.
Sealed Envelopes & Relay Mode
Section titled “Sealed Envelopes & Relay Mode”When mode = "full", sealed envelopes enable zero-knowledge routing:
[privacy.sealed_envelopes]enabled = truemax_envelope_bytes = 65536
[gateway]relay_mode = trueSealed envelopes are encrypted packets that the relay routes by routing_id without reading their content. Features:
- Replay protection — Each envelope carries a nonce; duplicates are rejected (HTTP 409)
- TTL-based expiry — Envelopes expire after a configurable TTL
- Metadata stripping — The relay strips identifying headers (X-Forwarded-For, X-Real-IP, Via)
- Timing jitter — Optional randomized delays on submit/poll responses to prevent traffic-analysis side-channels
Timing Jitter
Section titled “Timing Jitter”Enable timing jitter to add randomized delays to relay responses, making it harder for network observers to correlate submit and poll requests:
[privacy.sealed_envelopes]enabled = truetiming_jitter_enabled = truesubmit_jitter_min_ms = 10 # 10–100ms random delay on submitsubmit_jitter_max_ms = 100poll_jitter_min_ms = 20 # 20–200ms random delay on pollpoll_jitter_max_ms = 200# Submit an envelopecurl -X POST /v1/relay/submit -d '{ "routing_id": "<64-char hex>", "payload": "<base64-encoded sealed envelope>", "nonce": "<base64-encoded 24-byte nonce>", "ttl_secs": 300}'
# Poll for envelopescurl /v1/relay/poll/<routing_id>Key Rotation
Section titled “Key Rotation”Keys rotate automatically in encrypted and full modes:
[privacy.key_rotation]enabled = truerotation_interval_secs = 86400 # Rotate every 24 hours (in seconds)overlap_secs = 3600 # 1-hour overlap where both keys are validkey_store_path = "keys/" # Store keys on disk for restart recoveryManual Rotation
Section titled “Manual Rotation”agentzero privacy rotate-keys # Rotate if interval elapsedagentzero privacy rotate-keys --force # Force immediate rotationagentzero privacy status # Show current mode, key rotation, session infoMonitoring
Section titled “Monitoring”Privacy metrics are exposed on the /metrics Prometheus endpoint:
| Metric | Type | Description |
|---|---|---|
agentzero_noise_sessions_active | Gauge | Active Noise sessions |
agentzero_noise_handshakes_total{result} | Counter | Handshake attempts (success/failure) |
agentzero_relay_mailbox_envelopes | Gauge | Envelopes in relay mailboxes |
agentzero_relay_submit_total | Counter | Total envelope submissions |
agentzero_key_rotation_total{epoch} | Counter | Key rotation events |
agentzero_privacy_encrypt_duration_seconds | Histogram | Encrypt/decrypt latency |