// AI Agent Encryption Implementation Standards
A plain-text file convention for defining technical encryption standards AI agents must enforce. Approved algorithms, key lengths, TLS configuration, key rotation schedules, and compliance mapping — in one version-controlled file.
ENCRYPTION.md is a plain-text Markdown file you place in the root of any repository that contains an AI agent. It defines the technical encryption standards your agent and its infrastructure must enforce — the algorithms, key lengths, TLS requirements, and compliance mappings.
AI agents handle sensitive data: API keys, user information, session state, model outputs. Without explicit encryption standards, individual developers make ad-hoc choices — often defaulting to whatever is convenient rather than what is correct. ENCRYPTION.md removes the ambiguity by making standards explicit, version-controlled, and auditable.
Drop ENCRYPTION.md in your repo root and define: approved and forbidden algorithms (AES-256-GCM approved, DES and RC4 forbidden), key rotation schedules (90 days for data keys, 30 days for API keys), TLS requirements (version 1.3 minimum, HSTS required), and compliance standard mappings for FIPS, SOC2, ISO 27001, and GDPR.
The GDPR (Article 32), SOC2 CC6.7, ISO 27001 A.10.1, and EU AI Act (effective 2 August 2026) all mandate documented encryption controls. ENCRYPTION.md provides the auditable record each requires — version-controlled alongside your code.
Copy the template from GitHub and place it in your project root:
ENCRYPTION.md works alongside ENCRYPT.md. ENCRYPT.md classifies data (what is critical, sensitive, internal, or public). ENCRYPTION.md specifies the technical controls (which algorithms, which TLS versions, how to store keys). Together they provide complete data protection documentation.
The AI agent reads it on startup. Your security engineer reads it during code review. Your compliance team reads it during audits. Your regulator reads it if something goes wrong. One file serves all four audiences.
ENCRYPTION.md is one file in a complete open specification for AI agent safety. The twelve-file stack provides graduated intervention from proactive slow-down through permanent shutdown and compliance enforcement.
A plain-text Markdown file defining the technical encryption standards AI agents must enforce. It specifies approved algorithms (AES-256-GCM, ChaCha20-Poly1305), forbidden algorithms (DES, RC4, MD5, SHA-1), key rotation schedules, TLS version requirements, key storage rules, and compliance mappings for FIPS 140-3, SOC2, ISO 27001, and GDPR.
ENCRYPT.md defines the data protection policy — what data is critical, sensitive, internal, or public, and the rules around it. ENCRYPTION.md defines the technical implementation standards — which algorithms to use, which TLS versions are required, and how key rotation works. They are complementary: ENCRYPT.md is the "what", ENCRYPTION.md is the "how".
TLS 1.2 has known vulnerabilities and is deprecated by modern security standards. TLS 1.3 is faster, simpler, and eliminates entire classes of attacks (POODLE, BEAST, LUCKY13). ENCRYPTION.md requires TLS 1.3 for all new connections and only permits TLS 1.2 for legacy compatibility where strictly unavoidable.
ENCRYPTION.md defines per-key-type schedules: data encryption keys rotate every 90 days (or immediately on suspected compromise), TLS certificates rotate annually (quarterly preferred), API keys rotate monthly. Breach detection always triggers immediate rotation regardless of schedule.
Yes. Approved sources: environment variables injected at runtime, secrets managers (AWS Secrets Manager, HashiCorp Vault, etc.), and hardware security modules. Forbidden: hardcoded in source code, plaintext config files committed to VCS, or stored in agent long-term memory.
Four standards are mapped in the COMPLIANCE section: FIPS 140-3 (federal and regulated sectors), SOC2 (CC6.1, CC6.7, CC7.2), ISO 27001 (A.10.1.1, A.10.1.2, A.18.1.5), and GDPR (Articles 25, 32, 33). The mapping shows which spec sections satisfy which controls.
This domain is available for acquisition. It is the canonical home of the ENCRYPTION.md specification — the encryption implementation standards layer of the AI agent safety stack, essential for any secure production AI deployment.
Inquire About AcquisitionOr email directly: info@encryption.md