About PrivateClaw

PrivateClaw gives you a dedicated, managed OpenClaw instance running inside a Confidential VM (AMD SEV-SNP). Every stage that touches your prompts — your CVM, our inference gateway, and the inference cluster — runs inside a TEE where the cloud host cannot read memory. Traffic between stages is TLS-encrypted. We run the gateway binary you see in our public repo. For background on how TEEs work, see confidential.ai/docs.

What You Get

• Dedicated Confidential VM (AMD SEV-SNP)
• OpenClaw pre-installed and ready to configure
• Direct SSH access. Only your key can connect
• Inference proxied through a TEE-protected gateway to Confidential AI, TLS-encrypted on every hop
• Per-CVM network security groups with egress enforcement

See pricing for tier details: Free ($0/mo), Pro ($69/mo).

Motivation

AI coding assistants are powerful, but they require sending your code to third-party servers. For sensitive work (proprietary code, regulated industries, personal projects you want to keep private), that's a non-starter.

PrivateClaw solves this by running every stage of the inference pipeline inside a Trusted Execution Environment. Your CVM's memory is hardware-encrypted. The inference gateway runs in its own SEV-SNP VM. The inference cluster runs in a TEE too. The cloud host can't read any of those memories; network attackers can't read any of the TLS hops between them.

The Azure host cannot see your data. Your CVM's memory is encrypted by AMD SEV-SNP hardware. The gateway binary that terminates TLS, counts tokens for billing, and routes between models is itself running inside a Confidential VM. For background on how TEEs protect inference, see confidential.ai/docs.

How It Works

1. ssh privateclaw.dev to connect to the management TUI
2. Choose your plan: Free ($0/mo), or Pro ($69/mo)
3. Your Confidential VM is provisioned automatically
4. SSH directly to your VM and run openclaw onboard
5. Use OpenClaw with complete privacy

How Privacy Works

PrivateClaw chains together three Trusted Execution Environments — your CVM, our gateway, and the inference cluster — with TLS on every network hop between them. Each stage is a SEV-SNP Confidential VM whose memory the Azure host cannot read:

┌──────────────┐       SSH (encrypted)      ┌──────────────────────────┐
│ Your Computer│───────────────────────────>│ PrivateClaw Orchestrator │
│              │                            │ (billing + provisioning  │
│              │                            │  only. Does not route    │
│              │                            │  inference traffic)      │
└──────┬───────┘                            └──────────────────────────┘
       │
       │ SSH (encrypted)
       ▼
┌──────────────────────────────┐    TLS (encrypted)    ┌────────────────────────────┐
│ Your Confidential VM         │──────────────────────>│ Inference Proxy (CVM)      │
│ (AMD SEV-SNP TEE)            │                       │ (tee-proxy: attestation    │
│                              │                       │  report on every response) │
│ • Memory hardware-encrypted  │                       │                            │
│ • Only your SSH key connects │                       ├────────────────────────────┤
│ • OpenClaw runs here         │                       │         ▼                  │
│ • Your code & prompts live   │                       │ Inference Cluster (TEE)    │
│   here                       │                       │ Powered by Confidential AI │
│ • Per-CVM NSG + firewall     │                       │ • Runs in TEE              │
└──────────────┬───────────────┘                       │ • Attestation verified     │
               │                                       └────────────────────────────┘
               │ E2E encrypted (optional)
               ▼
       ┌───────────────┐
       │WhatsApp/Signal│
       │ (messaging)   │
       └───────────────┘

TEE at every stage, TLS between stages, attestation on the inference hop. For background on how TEEs work, see confidential.ai/docs.

• The orchestrator does not route inference traffic. Your prompts flow from your CVM through the gateway TEE to the inference TEE without touching the orchestrator's memory or disk.
• The cloud provider cannot read any of the three TEEs' memory. AMD SEV-SNP hardware encryption covers your CVM, our gateway, and the inference cluster.
• Every CVM runs in an AMD SEV-SNP TEE. Memory is encrypted by the CPU with keys the hypervisor does not hold.
• The gateway itself runs in a TEE. It terminates TLS from your CVM, counts tokens for billing, and reopens a second TLS connection to the inference backend. Same protection as your CVM.
• Inference cluster runs in TEE (Confidential AI). Its tee-proxy returns an attestation report on every response; your prompts are encrypted on the wire in both directions.
• Per-CVM network security groups. Each VM has its own NSG with egress enforcement and usage limits.
• Independently verifiable. Run privateclaw verify on your CVM to confirm the SEV-SNP hardware properties and the inference provider's attestation.
• Fully auditable. The PrivateClaw CLI is a single shell script. No compiled binary, nothing hidden. View source on GitHub.

What privateclaw verify Checks

Run this on your CVM at any time to independently verify the full trust chain:

1. [1/5] SEV-SNP Hardware. Requests a fresh SEV-SNP attestation report from the AMD CPU and verifies the VCEK certificate chain back to the AMD root CA. Proves genuine SEV-SNP silicon with memory encryption active.
2. [2/5] TPM Attestation. Reads the HCL report from the virtual TPM, binding the SEV-SNP measurement to the boot state.
3. [3/5] Host Key Binding. Confirms the SSH host key hash inside the attestation report matches the live host key — you are talking to the same machine that produced the attestation.
4. [4/5] Inference Provider. Verifies the inference endpoint returns valid attestation headers proving it runs in a TEE. Your prompts are encrypted in transit and during processing.
5. [5/5] External Access Lockout. Verifies only your SSH key has access, firewall is active, and no lateral network access is possible.

The verification tool is open source. You can read every line of code it runs. View source on GitHub.

You can run privateclaw verify after updates, reboots, or whenever you want reassurance. The checks are read-only and instant.

Open Source

The privateclaw CLI that runs inside every CVM is open source: github.com/lunal-dev/privateclaw-cli. Read every line it executes before you trust it.

How SSH Keys Work

PrivateClaw uses SSH keys as your identity. No passwords, no accounts, no email required.

1. When you run ssh privateclaw.dev, your SSH public key identifies you.
2. When your VM is provisioned, that same public key becomes the only key authorized to connect.
3. No one else, not even PrivateClaw, can SSH into your machine.
4. If you need to use a different key, you can re-register by connecting to ssh privateclaw.dev with your new key.

Architecture

Each customer gets a dedicated Confidential VM (AMD SEV-SNP) with its own network security group. The orchestrator handles billing, provisioning, and the SSH management interface. Your VM is isolated. Only your SSH key can access it. Egress is enforced per-CVM with per-tier usage limits.

Further Reading

For a detailed explanation of how Trusted Execution Environments protect inference — what SEV-SNP protects against, what attestation proves, and how confidential computing works end-to-end — see confidential.ai/docs.