Advanced10 min
Encryption, TTL & Checkpointer Backends
Encrypt checkpoints at rest with AES, configure TTL policies for automatic cleanup, and choose from 8 checkpointer backends for production persistence.
Quick Reference
- →EncryptedSerializer wraps any checkpointer with AES-256 encryption at rest
- →Set LANGGRAPH_AES_KEY environment variable — automatic on Agent Server
- →TTL policies auto-delete old threads and checkpoints (strategies: delete or keep_latest)
- →Store item TTL with refresh_on_read keeps frequently accessed items alive
- →8 checkpointer backends: Memory, SQLite, PostgreSQL, MongoDB, Redis, AWS, CockroachDB, Aerospike
- →PostgresSaver is the production default — battle-tested, supports async, and scales well
Checkpoint Encryption
Checkpoints contain full conversation history and agent state — including potentially sensitive user data. EncryptedSerializer wraps the default serializer with AES-256 encryption, so checkpoint data is encrypted at rest in your database. On Agent Server, just set the LANGGRAPH_AES_KEY environment variable and encryption is automatic.
Enable checkpoint encryption
Key management
The LANGGRAPH_AES_KEY must be a 32-byte key (256-bit AES). Store it in your secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.). If you lose the key, all encrypted checkpoints become unrecoverable.