Getting Started

Your PrivateClaw instance is a Confidential VM, a machine whose memory is hardware-encrypted by the CPU itself. Not even the cloud provider can read what's running inside. After your first SSH, there are three things to do: verify the TEE, onboard OpenClaw, and hook up a messaging channel so you can talk to your agent from anywhere.

1. Verify Your TEE

The first thing to do after SSH-ing into your CVM is verify that it's actually running in a Trusted Execution Environment:

privateclaw verify

Why it matters

This proves your CVM is really a TEE, so your data can't be read by anyone — including the cloud provider. Run it to confirm the machine you're on is what we say it is. The checks are read-only and instant, so re-run any time.

Inspect the code yourself

The privateclaw binary is a single shell script. You can read every line at github.com/lunal-dev/privateclaw-cli.

What the five checks prove

1. SEV-SNP Hardware. Requests a fresh SEV-SNP attestation report from the AMD CPU and verifies the VCEK certificate chain back to the AMD root CA. Proves the VM is running on genuine SEV-SNP silicon with memory encryption active.
2. TPM Attestation. Reads the HCL (Hardware Compatibility Layer) report from the virtual TPM, which binds the SEV-SNP measurement to the boot state.
3. Host Key Binding. Confirms the SSH host key hash recorded inside the attestation report matches the live host key, proving you are connected to the same machine that produced the attestation.
4. Inference Provider. Verifies that the Confidential AI inference cluster (where your prompts are run) is itself a TEE, and that our internal PrivateClaw Gateway — the VM that proxies requests from your CVM to the inference cluster — also runs in a TEE. Both nodes that touch your prompts are attested on every request.
5. External Access Lockout. Confirms the outside world can't get in:
   • Only your SSH key is authorized to log in.
   • The firewall (UFW) is active and blocking lateral network access.
   • Cloud provider access is blocked — even Azure cannot run commands on your CVM. This is enforced by masking the walinuxagent service and setting Extensions.Enabled=n in waagent.conf, so the VM extensions channel is shut down in both the service layer and the agent config.

You can run privateclaw verify at any time: after updates, after reboots, whenever you want reassurance.

2. Onboard OpenClaw

Once the TEE is verified, run the interactive wizard that sets up your agent:

openclaw onboard

Important: when the wizard asks about an inference provider or model, skip it. Confidential AI inference is already configured for you on PrivateClaw — if you override it with an external provider, your prompts leave the private pipeline and you lose the privacy guarantees that privateclaw verify just confirmed.

At a high level, openclaw onboard walks you through:

• Workspace config — where your agent's files, notes, and state live on the CVM.
• Channels — which messaging apps your agent can talk to you through (see step 3).
• Skills — optional capabilities the agent can use (email, calendar, search, etc.).
• Inference provider — skip this, per the note above.

You can re-run openclaw onboard later to change any of these — it's idempotent.

3. Messaging & Channels

OpenClaw is designed to talk to you through the messaging apps you already use, so you don't have to SSH in to chat with it. Supported channels include Telegram, Discord, and others — all configured inside the "channels" step of openclaw onboard.

Once a channel is linked, messages flow from your phone to your CVM, through our TEE-hosted gateway, out to the Confidential AI inference cluster and back — every stage is SEV-SNP and every hop is TLS. For background on how TEEs protect inference, see confidential.ai/docs.

Help & Troubleshooting

SSH Keys

PrivateClaw uses SSH keys as your identity. No passwords, no accounts, no email required. Most machines do not have an SSH key pair by default.

Step 1: Check if you already have an SSH key

ls ~/.ssh/id_ed25519.pub

If you see "No such file or directory", you need to create one (Step 2). If you see a path, skip to Step 3.

Step 2: Create an SSH key

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N '' -q

This creates a key pair with no passphrase. The private key stays on your machine; the public key identifies you to PrivateClaw.

Step 3: Connect to PrivateClaw

ssh privateclaw.dev

This opens the management TUI where you can choose your plan and provision your Confidential VM.

Connection Errors

Permission denied (publickey)

Your SSH key is not being sent. Common causes:

• You don't have an SSH key. Create one with the command in Step 2 above.
• Your key is in a non-default location. Use ssh -i /path/to/key privateclaw.dev.
• Your SSH agent isn't running. Run ssh-add to add your key.

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED

This means the server's host key changed since you last connected. If PrivateClaw has announced maintenance or infrastructure changes, this is expected. To fix:

ssh-keygen -R privateclaw.dev

Then reconnect with ssh privateclaw.dev. If you weren't expecting this, contact support before reconnecting.

Connection refused or Connection timed out

• Check your internet connection.
• If the service is under maintenance, try again in a few minutes.
• Make sure you're connecting to privateclaw.dev (not a different hostname).

Egress (Network Bandwidth)

What counts toward egress?

Egress measures outbound internet traffic from your CVM. This includes anything your CVM sends to the public internet: downloading packages, pulling container images, sending data to external APIs, or browsing the web from within your VM.

What does NOT count?

• Private inference traffic between your CVM and the Confidential AI endpoint travels over the VNet (private network) and is not counted.
• SSH sessions to your CVM are inbound traffic, not egress.
• Internal orchestrator communication (callbacks, health checks) stays within the VNet.

How is egress tracked?

All outbound internet traffic from CVMs goes through a dedicated NAT Gateway. We measure exactly the bytes that traverse it, which aligns with what Azure charges for outbound data transfer. VNet-internal traffic bypasses the NAT Gateway entirely and is free.

What happens when I hit my limit?

Egress is hard-capped on every tier (Free: 5 GB/month, Pro: 50 GB/month). When you reach the cap, outbound internet from your CVM is blocked until your billing period resets (30 days) or you upgrade to a higher tier. SSH access and private inference continue to work throughout. You are never charged for egress overage.

How can I reduce egress?

• Use the private inference endpoint (already configured by default) instead of external AI APIs.
• Avoid large downloads inside the CVM when possible.
• Monitor your usage in the management TUI (ssh privateclaw.dev).

What's Next

• Explore OpenClaw's features: OpenClaw documentation
• Run privateclaw verify anytime to re-check your TEE
• Learn more about our privacy model: About PrivateClaw

Need help?

If you run into any issues or have questions, reach out at support@privateclaw.dev.