[PR #3852] Add optional encryption of checkpointer payloads #3504

Closed
opened 2026-02-20 17:48:42 -05:00 by yindo · 0 comments
Owner

Original Pull Request: https://github.com/langchain-ai/langgraph/pull/3852

State: closed
Merged: Yes


  • no dependency on any particular encryption lib (there is no py stdlib encryption lib)
  • works with any modern checkpointer, ie. those which use dumps_typed and loads_typed methods to serialize data
  • uses the default msg pack serializer, but also works with any custom serializer
  • backwards compatible with unencrypted data in same storage (will just be read unencrypted)
  • providing easy constructor to use AES encryption through pycriptodome library, one single line of code to add it in
  • other encryption libraries or algorithms (even assymetric ones) can be used by implementing the two-method CipherProtocol interface
  • cipher name (eg. aes) is stored with encrypted payload for forwards compatibility
import sqlite3

from langgraph.checkpoint.serde.encrypted import EncryptedSerializer
from langgraph.checkpoint.sqlite import SqliteSaver

# will read AES key from env var LANGGRAPH_AES_KEY
serde = EncryptedSerializer.from_pycryptodome_aes()
# works with any other checkpointer, including custom ones
checkpointer = SqliteSaver(sqlite3.connect('...'), serde=serde)
**Original Pull Request:** https://github.com/langchain-ai/langgraph/pull/3852 **State:** closed **Merged:** Yes --- - no dependency on any particular encryption lib (there is no py stdlib encryption lib) - works with any modern checkpointer, ie. those which use dumps_typed and loads_typed methods to serialize data - uses the default msg pack serializer, but also works with any custom serializer - backwards compatible with unencrypted data in same storage (will just be read unencrypted) - providing easy constructor to use AES encryption through pycriptodome library, one single line of code to add it in - other encryption libraries or algorithms (even assymetric ones) can be used by implementing the two-method CipherProtocol interface - cipher name (eg. aes) is stored with encrypted payload for forwards compatibility ```py import sqlite3 from langgraph.checkpoint.serde.encrypted import EncryptedSerializer from langgraph.checkpoint.sqlite import SqliteSaver # will read AES key from env var LANGGRAPH_AES_KEY serde = EncryptedSerializer.from_pycryptodome_aes() # works with any other checkpointer, including custom ones checkpointer = SqliteSaver(sqlite3.connect('...'), serde=serde) ```
yindo added the pull-request label 2026-02-20 17:48:42 -05:00
yindo closed this issue 2026-02-20 17:48:43 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: langchain-ai/langgraph#3504