Encryption adds latency. In our tests with a three-agent pipeline (planner -> coder -> reviewer), we saw a 12-18% increase in total round-trip time for sub-agent calls. The overhead comes from key exchange (one-time per session) and encryption/decryption of each prompt. For prompts under 4K tokens, the latency increase is about 40-60ms per hop. For longer prompts (16K+ tokens), it can reach 200ms.
Memory usage also increases. The encryption context (session keys, nonces) adds roughly 1KB per active sub-agent session. If you run 100 concurrent sub-agents, that's 100KB of extra memory. Negligible for most systems, but worth noting for edge deployments.
How to opt out or customize
Codex provides an environment variable CODEX_ENCRYPT_SUBAGENT_PROMPTS that defaults to true. Set it to false to disable encryption for debugging or performance-critical paths. You can also set CODEX_ENCRYPT_SUBAGENT_KEY_TTL to control how long session keys live (default 300 seconds).
For advanced users, Codex exposes a subagent_encryption_config parameter in the API call. You can specify algorithm: "aes-256-gcm" or "chacha20-poly1305". AES-256-GCM is faster on hardware with AES-NI instructions; ChaCha20 is better for mobile or ARM-based agents.
Security implications for prompt injection
Encryption does not prevent prompt injection. If a sub-agent receives an encrypted prompt that contains an injection payload, the sub-agent will still execute the injected instructions. Encryption only protects the prompt content from being read by third parties during transit or at rest. You still need input validation and output filtering on each agent.
However, encryption does prevent a compromised sub-agent from leaking the parent's prompt to an external attacker. The sub-agent can only exfiltrate data it generates, not the original prompt. This raises the bar for data exfiltration attacks.
Cost impact
Encryption itself is free in Codex (no additional token cost). But the increased latency may cause longer agent runtimes, which can increase compute costs if you pay per second of agent execution. For a typical pipeline that costs $0.02 per run, a 15% latency increase might add $0.003 per run. For high-volume systems (1M runs/month), that's an extra $3,000/month.
Best practices for adopting this change
-
Update your agent orchestration code to handle the new encryption headers. The sub-agent response now includes an x-codex-encrypted header with the session ID. Verify this header to ensure the response came from an encrypted session.
-
Audit your logging. If you log sub-agent prompts for debugging, you will now see encrypted blobs. You need to either decrypt them using the session key (available via CODEX_SESSION_KEY environment variable in the parent agent) or switch to logging only the parent prompt.
-
Test with your existing agent chains. Some agents may rely on reading sub-agent prompts from shared memory or files. Encryption breaks that pattern. You may need to refactor to pass data through the parent agent's context instead.
-
Consider the tradeoff for short-lived agents. If your sub-agent runs for less than 100ms, the encryption overhead may double the latency. In those cases, disabling encryption for that specific sub-agent might be acceptable.
The bigger picture
This change signals that OpenAI is treating sub-agent communication as a security boundary. It aligns with the trend toward zero-trust architectures in AI systems. Other agent frameworks (LangGraph, AutoGen) are likely to follow with similar encryption defaults.
For teams building production agent systems, this is a net positive. It forces you to think about data flows between agents and gives you a default security posture that would have required custom encryption code before. The latency cost is real but manageable for most use cases.
Keep Reading
If you are building multi-agent systems and want to test this encryption behavior, try Zlyqor's agent sandbox which supports Codex encryption out of the box. Sign up at app.zlyqor.com/signup.