PenLocal-AI Security Architecture

Overview

PenLocal-AI is designed as an "Offline-First", secure, self-hosted AI pentesting environment. The architecture prioritizes data sovereignty, network isolation, and defense-in-depth to safely run autonomous security agents (Kali Linux) alongside sensitive vulnerability data.

Core Security Pillars

1. Network Isolation & Segmentation

We utilize a strict 3-tier network model to prevent compromised agents from pivoting to the host or backend services. - Networking Security Details: Full details on subnets, Docker networks, and host port binding.

2. Encryption Everywhere

• At Rest: Sensitive credentials and findings are encrypted using Fernet (AES-128-CBC) before storage.
• In Transit: All service-to-service and user-to-service communication is encrypted via TLS/SSL (Nginx Proxies).
• In Memory: Credentials used by agents are stored in RAM-only (tmpfs) volumes and never written to disk.

3. Manager Webapp Hardening

The central command center is built with modern application security standards. - Manager Webapp Security: MFA, Strong Hashing (PBKDF2), RBAC, and Input Sanitization.

4. Component-Level Security

Each microservice is hardened according to its function:

• Credential Vault: Isolated secret management service.
• Ollama (AI): Proxied access to LLMs, resource limits.
• n8n (Workflow): Dual-homed network isolation.
• Minio (Storage): Per-pentest bucket isolation.
• Qdrant (Vector DB): Authenticated, tenant-isolated vector storage.