Skip to content

Security

Lango provides multiple layers of security to protect sensitive data flowing between users, agents, and AI providers.

Security Layers

Layer Purpose Details
Master Key Envelope Hierarchical key management MK/KEK architecture, recovery mnemonic, passphrase rotation without re-encryption
Encryption & Secrets Protect data at rest and in transit AES-256-GCM encryption, key registry, secret management
PII Redaction Strip personal information before it reaches AI providers Regex patterns + optional NER via Microsoft Presidio
Exportability Policy Decide what early knowledge artifacts can be traded Source-primary evaluation for knowledge exchange v1
Approval Flow Decide when early artifact releases can move forward Structured artifact release states and audit-backed receipts
Upfront Payment Approval Decide whether a transaction may start with an upfront payment Structured prepayment decisioning and canonical transaction receipt state
Escrow Execution Execute approved escrow recommendations into canonical receipt-backed escrow state Receipt-backed create + fund execution for escrow-recommended transactions
Actual Payment Execution Gating Enforce direct payment execution against canonical receipt state Receipt-backed allow/deny gate for payment_send and p2p_pay
Dispute-Ready Receipts Preserve receipt evidence for early knowledge exchange Lite submission/transaction receipt model with a current create_dispute_ready_receipt entrypoint
Tool Approval Control which tools agents can execute Policy-based approval workflows with channel notifications
Authentication Secure gateway access OIDC login flow, session management, CORS controls
Hardware Keyring Secure passphrase storage Hardware-backed passphrase via Touch ID (macOS Secure Enclave) or TPM 2.0 (Linux)
Payload Protection Protect sensitive data at rest Broker-managed AES-256-GCM payload encryption with redacted search projections
Cloud KMS / HSM Hardware-backed cryptography AWS KMS, GCP KMS, Azure Key Vault, PKCS#11 HSM integration
P2P Session Management Peer session lifecycle Session listing, explicit invalidation, security-event-based revocation
P2P Tool Sandbox Execution isolation Subprocess and container-based isolation for remote tool invocations
P2P Auth Hardening Signed challenge protocol ECDSA signed challenges, nonce replay protection, timestamp validation

Architecture

graph LR
    User -->|input| Interceptor
    Interceptor -->|PII redacted| Agent
    Agent -->|tool call| Approval[Tool Approval]
    Approval -->|approved| Tool
    Tool -->|secret ref| RefStore[Secret RefStore]
    RefStore -->|resolved| Execution
    Agent -->|output| Scanner[Output Scanner]
    Scanner -->|secrets masked| User

The security interceptor sits between the user and the AI agent. It:

  1. Redacts PII from user input before forwarding to the AI provider
  2. Gates tool execution behind an approval workflow for sensitive operations
  3. Scans agent output to replace any leaked secret values with [SECRET:name] placeholders

Enable the Interceptor

The security interceptor is disabled by default. Enable it in your configuration:

Settings: lango settings → Security

{
  "security": {
    "interceptor": {
      "enabled": true,
      "redactPii": true,
      "approvalPolicy": "dangerous"
    }
  }
}

Encryption Modes

Lango supports three encryption modes depending on your deployment:

  • Local Mode (default) -- AES-256-GCM with a Master Key envelope. The passphrase wraps a random Master Key; data keys are derived from the MK. Supports recovery mnemonic and O(1) passphrase rotation.
  • RPC Mode (production) -- Delegates cryptographic operations to a hardware-backed companion app or external signer. Keys never leave secure hardware.
  • Cloud KMS Mode (enterprise) -- Delegates to managed key services (AWS KMS, GCP KMS, Azure Key Vault) or on-premises HSM via PKCS#11. Automatic fallback to local mode when KMS is unavailable.

See Encryption & Secrets for full details.