About PrivateClaw
PrivateClaw gives you a dedicated, managed OpenClaw instance running inside a Confidential VM. Your data is encrypted in memory using AMD SEV-SNP. Not even the cloud provider can see it. Inference is also private, running in a separate Trusted Execution Environment. The result: end-to-end private AI, from your terminal to the model and back.
What You Get
- Dedicated Confidential VM (AMD SEV-SNP)
- OpenClaw pre-installed and ready to configure
- Direct SSH access. Only your key can connect
- End-to-end private inference powered by Confidential AI
- Per-CVM network security groups with egress enforcement
See pricing for tier details: Free ($0/mo), Pro ($69/mo).
Motivation
AI coding assistants are powerful, but they require sending your code to third-party servers. For sensitive work (proprietary code, regulated industries, personal projects you want to keep private), that's a non-starter.
PrivateClaw solves this by running everything in a Trusted Execution Environment (TEE). The VM's memory is hardware-encrypted. Inference happens through a private endpoint that also runs in a TEE. Your code and prompts stay yours.
We (PrivateClaw) cannot see your data. Your CVM's memory is encrypted by AMD SEV-SNP hardware. We do not have the keys. The orchestrator handles billing and provisioning only; it never touches your code, prompts, or completions.
How It Works
ssh privateclaw.devto connect to the management TUI- Choose your plan: Free ($0/mo), or Pro ($69/mo)
- Your Confidential VM is provisioned automatically
- SSH directly to your VM and run
openclaw onboard - Use OpenClaw with complete privacy
How Privacy Works
PrivateClaw provides end-to-end privacy through a chain of Trusted Execution Environments with full attestation at every hop:
┌──────────────┐ SSH (encrypted) ┌──────────────────────────┐
│ Your Computer│───────────────────────────>│ PrivateClaw Orchestrator │
│ │ │ (billing + provisioning │
│ │ │ only. Never sees your │
│ │ │ code or prompts) │
└──────┬───────┘ └──────────────────────────┘
│
│ SSH (encrypted)
▼
┌──────────────────────────────┐ TLS (encrypted) ┌────────────────────────────┐
│ Your Confidential VM │──────────────────────>│ Inference Proxy (CVM) │
│ (AMD SEV-SNP TEE) │ │ (tee-proxy: attestation │
│ │ │ report on every response) │
│ • Memory hardware-encrypted │ │ │
│ • Only your SSH key connects │ ├────────────────────────────┤
│ • OpenClaw runs here │ │ ▼ │
│ • Your code & prompts live │ │ Inference Cluster (TEE) │
│ here │ │ Powered by Confidential AI │
│ • Per-CVM NSG + firewall │ │ • Runs in TEE │
└──────────────┬───────────────┘ │ • Attestation verified │
│ └────────────────────────────┘
│ E2E encrypted (optional)
▼
┌───────────────┐
│WhatsApp/Signal│
│ (messaging) │
└───────────────┘
Full chain attestation: CVM → proxy (attested) → inference (attested). Every hop is cryptographically verified.
- PrivateClaw never sees your code or prompts. The orchestrator handles billing and provisioning only.
- The cloud provider cannot read your VM's memory. Hardware encryption (AMD SEV-SNP) prevents this.
- Every CVM runs in an AMD SEV-SNP TEE. Memory is encrypted by the CPU with keys the hypervisor never sees.
- Inference proxy runs on a CVM with tee-proxy. Every response includes an Attestation Report proving it runs in a TEE.
- Inference cluster runs in TEE (Confidential AI). Your prompts are encrypted in transit and during processing.
- Per-CVM network security groups. Each VM has its own NSG with egress enforcement and usage limits.
- Independently verifiable. Run
privateclaw verifyon your VM to cryptographically prove these properties. - Fully auditable. The PrivateClaw CLI is a single shell script. No compiled binary, nothing hidden. View source on GitHub.
What privateclaw verify Checks
Run this on your CVM at any time to independently verify the full trust chain:
- [1/5] SEV-SNP Hardware. Requests a fresh SEV-SNP attestation report from the AMD CPU and verifies the VCEK certificate chain back to the AMD root CA. Proves genuine SEV-SNP silicon with memory encryption active.
- [2/5] TPM Attestation. Reads the HCL report from the virtual TPM, binding the SEV-SNP measurement to the boot state.
- [3/5] Host Key Binding. Confirms the SSH host key hash inside the attestation report matches the live host key — you are talking to the same machine that produced the attestation.
- [4/5] Inference Provider. Verifies the inference endpoint returns valid attestation headers proving it runs in a TEE. Your prompts are encrypted in transit and during processing.
- [5/5] External Access Lockout. Verifies only your SSH key has access, firewall is active, and no lateral network access is possible.
The verification tool is open source. You can read every line of code it runs. View source on GitHub.
You can run privateclaw verify after updates, reboots, or whenever you want reassurance. The checks are read-only and instant.
How SSH Keys Work
PrivateClaw uses SSH keys as your identity. No passwords, no accounts, no email required.
- When you run
ssh privateclaw.dev, your SSH public key identifies you. - When your VM is provisioned, that same public key becomes the only key authorized to connect.
- No one else, not even PrivateClaw, can SSH into your machine.
- If you need to use a different key, you can re-register by connecting to
ssh privateclaw.devwith your new key.
Architecture
Each customer gets a dedicated Confidential VM (AMD SEV-SNP) with its own network security group. The orchestrator handles billing, provisioning, and the SSH management interface. Your VM is isolated. Only your SSH key can access it. Egress is enforced per-CVM with per-tier usage grants.