Lobstack is a managed cloud platform for deploying autonomous AI agents. Each agent runs on a dedicated virtual machine with persistent memory, 700+ integrations, and goes live in under 90 seconds with zero DevOps.

How long does it take to deploy an AI agent?

You can deploy an AI agent on Lobstack in under 90 seconds. Describe what your agent should do, pick a model, and Lobstack handles all the infrastructure — no Docker, Kubernetes, or server setup needed.

What AI models does Lobstack support?

Lobstack supports 16 AI models including Claude Opus and Sonnet from Anthropic, GPT-5 and GPT-4o from OpenAI, Gemini 2.5 Pro from Google, plus DeepSeek, Mistral, and Grok. You can hot-swap models without losing agent memory or configuration.

Is Lobstack secure for enterprise use?

Yes. Every agent runs in a gVisor-sandboxed VM with AES-256 encryption at rest, TLS 1.3 in transit, HashiCorp Vault for secrets, row-level security on all tables, and full audit logging. Lobstack is SOC 2 aligned.

Docs/Security & Infrastructure/Encryption (AES-256)

Security

AES-256 Encryption

End-to-end encryption at every layer: data at rest, data in transit, and application-level encryption via Vault Transit.

💡

Encryption Standard

Lobstack uses AES-256 for all encryption — the same standard used by governments and financial institutions worldwide. All keys are managed through HashiCorp Vault with automatic rotation every 90 days.

Encryption Overview#

Layer	Encryption	Key Management	Rotation
Kubernetes Secrets	AES-256-CBC (aescbc)	K8s EncryptionConfiguration	Manual (key versioning)
Vault Storage	AES-256-GCM	Vault seal mechanism (Raft)	Automatic
Transit Encryption	AES-256-GCM	Vault Transit engine	90-day auto-rotation
Disk Volumes	AES-256	Cloud provider KMS	Cloud provider managed
External Traffic	TLS 1.3 (ECDSA P-256)	cert-manager + Let's Encrypt	Auto-renewal at 60 days
Internal Traffic	mTLS (X.509)	Istio Citadel	Automatic rotation

Encryption at Rest#

Kubernetes Secrets Encryption#

By default, Kubernetes stores Secrets as base64-encoded plaintext in etcd. Lobstack configures the EncryptionConfiguration to encrypt all Secrets and ConfigMaps using AES-256-CBC before writing to etcd.

K8s API Server Encryption Config

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
      - configmaps
    providers:
      # Primary: AES-256-CBC encryption
      - aescbc:
          keys:
            - name: lobstack-key-1
              secret: <32-byte-base64-key>
      # Fallback: read unencrypted (for migration)
      - identity: {}

⚠️

Key Generation

Generate a real 32-byte encryption key with: head -c 32 /dev/urandom | base64. Never commit encryption keys to source control. Store them in Vault or a KMS.

Vault Data Encryption#

Vault encrypts all stored data using its seal mechanism. With Raft integrated storage, data is encrypted at the storage layer before being written to disk. The master key is split into unseal keys using Shamir's Secret Sharing.

Volume Encryption#

All persistent volumes use an encrypted StorageClass. The cloud provider encrypts disk data at rest using AES-256, with keys managed by the provider's KMS. Vault data volumes use a separate StorageClass with reclaimPolicy: Retain to prevent accidental data loss.

Encryption in Transit#

External TLS (Public Endpoints)#

All external traffic to lobstack.ai is encrypted with TLS 1.3 using ECDSA P-256 certificates issued by Let's Encrypt. Certificate lifecycle is fully automated by cert-manager.

cert-manager Certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: lobstack-tls-cert
spec:
  secretName: lobstack-tls-cert
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  duration: 2160h         # 90-day certificates
  renewBefore: 720h       # Renew 30 days early
  privateKey:
    algorithm: ECDSA
    size: 256
  dnsNames:
    - lobstack.ai
    - "*.lobstack.ai"
    - api.lobstack.ai

🔄

Auto-Renewal

cert-manager renews certificates 30 days before expiry. No manual intervention required.

🌐

HTTP → HTTPS Redirect

The Istio gateway redirects all HTTP (port 80) traffic to HTTPS (port 443) automatically.

🔐

ECDSA P-256

Faster than RSA, smaller key size, equivalent security to RSA-3072. Industry standard for modern TLS.

Internal mTLS (Service-to-Service)#

Every internal request between services goes through Istio's mTLS. Both the client and server present X.509 certificates — mutual authentication ensures both sides are who they claim to be.

Mesh-Wide Strict mTLS

apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: mesh-strict-mtls
  namespace: istio-system
spec:
  mtls:
    mode: STRICT   # ALL traffic must be mTLS — no exceptions

With STRICT mode, any unencrypted request between pods is rejected. This applies mesh-wide — there is no opt-out for individual services.

Application-Level Encryption (Vault Transit)#

For encrypting application data (API keys, user tokens, sensitive config), Lobstack uses the Vault Transit engine. This provides encryption-as-a-service — the application sends plaintext to Vault, receives ciphertext back, and never handles raw keys.

Transit Key Configuration

# AES-256-GCM key with 90-day automatic rotation
vault write -f transit/keys/lobstack \
  type=aes256-gcm96 \
  auto_rotate_period=90d

vault write -f transit/keys/agent-data \
  type=aes256-gcm96 \
  auto_rotate_period=90d

Transit API Usage#

The Vault secrets client (src/lib/vault.ts) exposes simple encrypt() and decrypt() functions that use the Transit engine under the hood.

src/lib/vault.ts — Transit Encryption

import { encrypt, decrypt } from "@/lib/vault";

// Encrypt sensitive data before storing
const ciphertext = await encrypt("sk-ant-api-key-12345");
// → "vault:v1:8fLkx3MgkU..."

// Decrypt when needed
const plaintext = await decrypt(ciphertext);
// → "sk-ant-api-key-12345"

// Separate key for agent workspace data
const agentCipher = await encrypt(workspaceData, "agent-data");

🔄

Key Rotation Without Re-encryption

When keys rotate, Vault can still decrypt data encrypted with older key versions. Ciphertext carries a version prefix (vault:v1:, vault:v2:, etc.).

📝

Full Audit Trail

Every encrypt/decrypt operation is logged in the Vault audit log with the requesting identity and timestamp.

🛡️

Keys Never Leave Vault

The Transit engine performs all crypto operations server-side. Encryption keys are never exposed to the application.

Encryption Summary#

What's Encrypted

✓ Kubernetes Secrets in etcd     → AES-256-CBC (EncryptionConfiguration)
✓ Vault secret storage            → AES-256-GCM (Raft seal)
✓ Persistent disk volumes         → AES-256 (cloud provider KMS)
✓ External HTTPS traffic          → TLS 1.3 (ECDSA P-256, cert-manager)
✓ Internal service traffic        → mTLS (Istio STRICT, X.509 certs)
✓ Vault client connections        → TLS 1.3 (internal CA)
✓ API keys & sensitive config     → AES-256-GCM (Vault Transit)
✓ Agent workspace data            → AES-256-GCM (Vault Transit, agent-data key)

✅

Next: Secrets Management

Learn how Vault manages the keys and secrets that power this encryption in Secrets Management.

Kubernetes & Scaling Secrets Management