How to Deploy OpenClaw Securely
This guide shows you how to deploy OpenClaw in production with proper security controls. You have two options: manual hardening or using a managed runtime.
Quick Answer
Fastest secure deployment (60 seconds):
Sign up at clawctl.com/checkout, pick a plan, and your agent is provisioned with production security out of the box. The dashboard setup wizard handles the rest.
Manual hardening: Follow the detailed steps below. Takes 2-4 hours.
Why Security Matters
OpenClaw's default configuration is insecure for production:
- Binds to
0.0.0.0(exposed to internet) - No authentication on gateway
- Plaintext API key storage
- No audit logging
- No action restrictions
In January 2026, 42,665 exposed OpenClaw instances were found via Shodan. Don't be one of them.
Option 1: Manual Hardening
If you want full control, follow these steps.
Step 1: Secure the Network
Bind to loopback only:
Edit your OpenClaw config to bind to 127.0.0.1 instead of 0.0.0.0:
{
"gateway": {
"host": "127.0.0.1",
"port": 3000
}
}
Configure firewall:
# Block direct access to OpenClaw ports
ufw deny 3000
ufw deny 3001
# Allow only via reverse proxy
ufw allow 443
Set up reverse proxy with auth:
Using nginx:
server {
listen 443 ssl;
server_name agent.yoursite.com;
# TLS configuration
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
location / {
# Don't pass X-Forwarded-For (prevents localhost bypass)
proxy_set_header X-Real-IP "";
proxy_pass http://127.0.0.1:3000;
# Basic auth (minimum requirement)
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
}
Step 2: Secure Credentials
Never store API keys in plaintext.
Bad:
~/.openclaw/credentials/anthropic.json
{"api_key": "sk-ant-xxxxx"}
Better — use environment variables:
export ANTHROPIC_API_KEY="sk-ant-xxxxx"
Best — use a secrets manager:
# AWS Secrets Manager
aws secretsmanager get-secret-value --secret-id openclaw/anthropic
# HashiCorp Vault
vault kv get secret/openclaw/anthropic
Step 3: Enable Audit Logging
Configure logging for all agent actions:
{
"logging": {
"level": "info",
"format": "json",
"destination": "/var/log/openclaw/agent.log"
}
}
Set up log rotation:
# /etc/logrotate.d/openclaw
/var/log/openclaw/*.log {
daily
rotate 90
compress
delaycompress
missingok
notifempty
}
Ship logs to a SIEM for analysis and alerting.
Step 4: Restrict Network Egress
Use a proxy to control outbound connections:
# Allow only approved domains
export HTTP_PROXY=http://localhost:3128
export HTTPS_PROXY=http://localhost:3128
Configure Squid:
acl allowed_domains dstdomain .anthropic.com .openai.com .github.com
http_access allow allowed_domains
http_access deny all
Step 5: Add Action Restrictions
Create a policy file for high-risk actions:
# policies/restrictions.yaml
blocked_tools:
- shell_exec
- file_delete
- send_email
- http_post
require_approval:
- file_write
- database_query
- api_call
Note: OpenClaw doesn't have built-in policy enforcement. You'll need to implement this in your agent code or use a wrapper.
Step 6: Set Up Monitoring
Configure alerts for:
- Unusual API usage patterns
- Failed authentication attempts
- High-risk tool invocations
- Network egress to unexpected domains
Example Prometheus alert:
- alert: OpenClawHighRiskAction
expr: openclaw_tool_calls{tool="shell_exec"} > 0
for: 0m
labels:
severity: critical
annotations:
summary: "Shell execution detected"
Estimated Time
| Task | Time |
|---|---|
| Network configuration | 30-60 min |
| Credential management | 30-60 min |
| Logging setup | 15-30 min |
| Egress control | 30-60 min |
| Policy enforcement | 1-2 hours (custom code) |
| Monitoring | 30-60 min |
| Total | 3-6 hours |
Option 2: Managed Runtime (Clawctl)
Clawctl provides all of the above security controls out of the box.
Deploy in 60 Seconds
- Sign up at clawctl.com/checkout
- Pick a plan and pay via Stripe
- Your secure environment is provisioned automatically
- Configure your LLM API key in the dashboard setup wizard
That's it. Production-grade security in under 60 seconds.
What You Get
| Security Control | Manual | Clawctl |
|---|---|---|
| Loopback binding | Configure yourself | Automatic |
| Token authentication | Configure yourself | Automatic |
| Encrypted secrets | Set up yourself | Built-in vault |
| Audit logging | Configure yourself | Built-in (365-day retention) |
| Egress control | Squid proxy setup | Built-in allowlists |
| Action restrictions | Custom code | 70+ actions blocked |
| Monitoring | Custom setup | Dashboard included |
| Setup time | 3-6 hours | 60 seconds |
Pricing
- Starter: $49/mo (1 agent)
- Team: $299/mo (5 agents)
- Business: $999/mo (25 agents)
Security Comparison
| Approach | Security Level | Effort | Maintenance |
|---|---|---|---|
| Raw OpenClaw | Low | None | None |
| Manual hardening | High | High (3-6h) | Ongoing |
| Clawctl | High | Low (60s) | Managed |
Checklist: Before You Go Live
Use this checklist before exposing OpenClaw to production traffic:
Network
- Binds to
127.0.0.1, not0.0.0.0 - Firewall blocks direct agent access
- Reverse proxy configured correctly
- TLS enabled (no plaintext HTTP)
- Egress restricted to approved domains
Authentication
- Gateway authentication required
- Tokens rotated on schedule
- Session timeouts configured
Credentials
- No plaintext API keys on disk
- Credentials in secrets manager
- Key rotation process documented
Logging
- All agent actions logged
- Logs retained for compliance
- Alerts for anomalous behavior
Action Control
- High-risk actions blocked or require approval
- Kill switch available
- Incident response plan documented
Frequently Asked Questions
How long does it take to deploy OpenClaw securely?
Manual hardening: 3-6 hours for initial setup, plus ongoing maintenance.
Clawctl: 60 seconds.
Can I deploy OpenClaw on AWS/GCP/Azure securely?
Yes, but you must configure security controls yourself. Cloud providers don't handle OpenClaw-specific security. Use the manual hardening steps above or deploy with Clawctl.
What's the minimum security for production?
At minimum:
- Loopback binding (no
0.0.0.0) - Authentication (token or API key)
- Encrypted credential storage
- Basic audit logging
Should I use Docker for OpenClaw?
Yes. Docker provides isolation, but you still need to configure authentication, credential management, and network controls.
Is Kubernetes overkill for OpenClaw?
For a single agent, yes. For multiple agents with scaling needs, Kubernetes can help with orchestration. Clawctl handles orchestration for you.
Summary
To deploy OpenClaw securely:
-
Manual path: Configure loopback binding, authentication, encrypted secrets, audit logging, egress control, and action restrictions. Takes 3-6 hours.
-
Managed path: Use Clawctl. Takes 60 seconds.
Both approaches achieve the same security outcome. The difference is time and maintenance burden.
Questions? support@mg.clawctl.com