Hermes Portable is designed around a simple security model: the portable folder is your identity. Everything that makes your Hermes setup yours — API keys, LLM provider configuration, conversation history, persistent memories, and custom skills — lives entirely inside theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/techjarves/Hermes-USB-Portable/llms.txt
Use this file to discover all available pages before exploring further.
data/ subdirectory of your portable folder. There is no separate account, cloud backup, or remote credential store. This design gives you complete ownership of your data and leaves nothing behind on the host machine, but it also means the physical drive is the only thing standing between your credentials and anyone who wants them.
Risk
Drive Encryption
The most effective protection is to encrypt the entire portable drive so that its contents are unreadable without your passphrase. Choose the tool that fits your operating system:Windows
BitLockerBuilt into Windows 10/11 Pro and Enterprise. Right-click the drive in File Explorer, choose Turn on BitLocker, and follow the wizard. The drive will prompt for a PIN or recovery key on every mount.
macOS
FileVault (drive encryption)For external drives on macOS, right-click the volume in Finder and choose Encrypt. macOS will ask for a passphrase and encrypt the drive using AES-256 XTS.
Cross-platform
VeraCryptFree and open-source. Works on Windows, macOS, and Linux. Create an encrypted container on the drive or encrypt the entire volume. Useful when the same drive is used across multiple operating systems.
API Key Best Practices
Avoid high-balance or production keys
Do not store API keys that have large prepaid balances or that are shared with production systems on a drive you carry daily. If the drive is compromised, those keys are immediately exposed.
Use spending limits or sub-keys
Most LLM providers allow you to create keys with monthly spending caps or restricted scopes. Use a dedicated sub-key for Hermes Portable so that any compromise is limited to a controlled budget.
What the Launcher Does NOT Do
Understanding the boundaries of the launcher helps clarify what you need to protect separately.Does not transmit data outside of what Hermes Agent sends to LLM providers
Does not transmit data outside of what Hermes Agent sends to LLM providers
The launcher scripts and setup automation do not send telemetry, usage data, or configuration information to any server. The only outbound network traffic during normal use is the prompts and context that Hermes Agent sends directly to the LLM providers you have configured.
Does not write registry keys or global config files on the host
Does not write registry keys or global config files on the host
Hermes Portable overrides
HERMES_HOME to the local data/ folder and prepends portable binary paths to the active process PATH. When the launcher exits, the host machine is left exactly as it was — no registry entries, no global environment variables, no files written outside the portable folder.Does not store credentials anywhere outside the portable folder
Does not store credentials anywhere outside the portable folder
All credentials — API keys, gateway tokens, session state — are written exclusively to
data/.env, data/config.yaml, and data/state.db inside the portable folder. Nothing is cached in the host user profile, system keychain, or browser credential store.Back Up Your data/ Directory
The
data/ directory contains everything needed to fully restore your Hermes setup: API keys (data/.env), model configuration (data/config.yaml), chat history (data/sessions/), persistent memories (data/memories/), and custom skills (data/skills/). Back it up regularly to a separate encrypted location so that a lost or damaged drive does not mean losing your entire Hermes history.