Skip to main content

Security & Privacy

CyberMem is designed with a "Local-First" philosophy. Your AI's memory belongs to you, and only you.

Core Principles​

πŸ—„οΈ Local Storage​

All memory vectors and entity graphs are stored in a local SQLite database on your filesystem. No data is ever sent to CyberMem or any third-party cloud.

πŸ‘οΈ No Telemetry​

The core binary contains zero usage tracking or analytics. The only network requests made are those you explicitly configure (e.g., to your LLM provider).

πŸ” Encryption At Rest​

We support standard filesystem encryption. On RPi and VPS deployments, we recommend using LUKS or similar disk encryption for maximum security.

πŸ”‘ Your Keys, Your Control​

API keys for LLM providers (OpenAI, Anthropic, etc.) are stored in your local .env file or passed at runtime. They are never logged or exported.

Security by Environment​

EnvironmentAuth RequiredHTTPSNotes
LocalNoNoKeyless access for localhost
RPiYesOptionalUse --remote-access for Tailscale HTTPS
VPSYesYesAuto-SSL via Caddy/Traefik

Authentication Flow​

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  AI Client  │────▢│   Traefik   │────▢│ OpenMemory  β”‚
β”‚ (Claude,    β”‚     β”‚  (Auth +    β”‚     β”‚  (Memory    β”‚
β”‚  Cursor)    β”‚     β”‚  Logging)   β”‚     β”‚   API)      β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
       β”‚                   β”‚
       β”‚ X-Client-Name     β”‚ Access Logs
       β”‚ X-API-Key         β”‚
       β–Ό                   β–Ό
                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                    β”‚ Prometheus  β”‚
                    β”‚  (Metrics)  β”‚
                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
  • Local mode: No API key required. Traefik accepts all localhost connections.
  • Remote mode: API key validated by Traefik middleware before forwarding.

Common Questions​

Does CyberMem train on my data?​

No. CyberMem is a self-hosted infrastructure component. We have no access to your data, so training on it is physically impossible.

What about the Cloud deployment?​

Even when deployed to a cloud VPS (AWS, DigitalOcean), you control the instance. We provide the Docker image; you run it. We do not offer a managed SaaS version.

How do I rotate API keys?​

# Generate new key
NEW_KEY=$(openssl rand -hex 32)

# Update your .env
echo "OM_API_KEY=sk-$NEW_KEY" >> ~/.cybermem/.env

# Restart services
cd ~/.cybermem && docker-compose restart

Reporting Vulnerabilities​

If you discover a security vulnerability, please do NOT open a public issue. Contact the maintainer directly via GitHub Security Advisories.