Disk Encryption
Disk encryption protects all data stored on a server by encrypting the entire disk with LUKS2. If someone physically accesses the drive, the data is unreadable without the encryption key.
What is disk encryption?
Disk encryption is a security measure that converts all data on a storage device into an unreadable format using a cryptographic key. Without the correct key, the data appears as random noise. LUKS2 (Linux Unified Key Setup version 2) is the industry-standard disk encryption system for Linux servers, providing full-disk encryption with strong key management.
Full-disk encryption protects against physical access threats. If a hard drive is removed from a server, cloned, or accessed through a recovery boot, the data remains encrypted and unreadable. This covers all data on the disk: application files, databases, logs, temporary files, cached data, and anything the operating system writes to storage.
Without disk encryption, anyone with physical or administrative access to the storage medium can read all data directly. This includes cloud providers, data center technicians, and anyone who gains access to backup snapshots. Disk encryption ensures that your data remains private even if the underlying storage is accessed outside of the running server.
Why it matters
For AI agents, disk encryption protects conversation logs, agent memory, cached data, skill configurations, and any files the agent creates or processes. Without encryption, this data sits in plaintext on the server's disk, readable by anyone who can access the storage.
Most self-hosted setups skip disk encryption because it requires re-provisioning the server from scratch. You cannot encrypt an existing disk without wiping and rebuilding it. This means the majority of AI agent servers have unencrypted disks, leaving all agent data exposed to physical access threats and storage-level breaches.
How ClawTrust handles this
Every ClawTrust server is provisioned with LUKS2 full-disk encryption from the very first boot. This is not an optional add-on. It is part of the automated provisioning process. All agent data, including conversation logs, memory, skills, and cached files, is encrypted on disk at all times. The encryption key is derived using a memory-hard function that resists brute-force attacks. Combined with the credential vault (which keeps API keys off the server entirely), your data is protected both on disk and in transit.
Related terms
Credential Vault
A credential vault is an encrypted storage system that keeps API keys, passwords, and tokens separate from the agent server. The agent never directly handles your credentials.
Zero Trust Hosting
Zero trust hosting is a security model where every server has zero open inbound ports, uses outbound-only encrypted networking, and requires verification for every connection.
Container Isolation
Container isolation uses Docker to run AI agent processes in sandboxed environments with strict resource limits, read-only filesystems, and restricted system access. If something goes wrong inside the container, it cannot affect the host system.
Frequently asked questions
What is LUKS2?
LUKS2 is the second version of the Linux Unified Key Setup standard for disk encryption. It is the most widely used disk encryption system on Linux servers, providing strong encryption with flexible key management. It encrypts the entire disk partition, protecting all data at rest.
Does disk encryption slow down the server?
Modern CPUs have hardware acceleration for encryption operations, so the performance impact is minimal (typically under 5%). The security benefit far outweighs the negligible performance cost.
Why can't I just encrypt specific files instead?
File-level encryption leaves gaps. Temporary files, swap space, log files, and cached data are often written to disk unencrypted. Full-disk encryption covers everything, including data you did not explicitly choose to encrypt. There are no gaps.
Do most VPS providers offer disk encryption?
Most VPS providers offer encryption at the storage infrastructure level, but this only protects against physical drive theft at the data center. It does not protect against access through the hypervisor, backup snapshots, or administrative access. LUKS2 encryption on the server itself provides an additional layer that you control.
Is my data encrypted when it is being used by the agent?
Disk encryption protects data at rest (on the storage device). When the agent reads data into memory for processing, it is decrypted. This is why ClawTrust combines disk encryption with network-level protections (zero open ports, encrypted tunnels) and credential isolation (vault) for comprehensive security.
Explore further
See it in action
ClawTrust implements disk encryption automatically. Your agent is live in under 5 minutes.