backendenc: Backend Security Toolkit
This skill provides mandatory encryption for OpenClaw agents running in Node.js/Backend environments. It operates in Local Manual Mode, using the Node.js built-in crypto module.
Context
Unlike the frontend version which uses Web Crypto, this version is designed for server-side execution, CLI tools, or background agents. It stores metadata in a persistent local file (or compatible storage provider).
Key Hierarchy
- Master Key (MK): Derived from your passphrase using
crypto.pbkdf2. - Persistence: A unique "Salt" is stored in your configuration. As long as you remember your passphrase, the same Master Key will be generated across reboots.
- Key Encryption Key (KEK): Generated randomly and encrypted by your MK.
- Data Encryption Keys (DEKs): Scoped keys (e.g.,
memory, assets) encrypted by the KEK.
Security Disclosure
- Zero Network: This skill does NOT perform any external network requests. All operations happen via the Node.js
crypto module. - No Cleartext Keys: Keys are never stored in cleartext. They are always "wrapped" (encrypted) by a higher-level key using AES-256-GCM.
- Passphrase Obligation: You must provide your passphrase to "unlock" the vault after هر server reboot.
Multi-User & Channel Isolation
Designed for high-concurrency backend environments:
- Key Partitioning: All storage keys follow the
${userId}:${channelId}:key format. - Security: Ensures that even if the underlying storage file is compromised, keys for different users remain cryptographically separated.
Usage (Backend)
import { EncryptionService } from './encryption-service.js';
// Access context IDs
const { userId, channelId } = agent.context;
// Unlock for context
await EncryptionService.unlock(userId, channelId, 'passphrase');
// Scoped encryption
const encrypted = await EncryptionService.encrypt(userId, channelId, 'history', 'data');