Configuring OpenClaw for Encrypted LLM Inference Using TEE Enclaves
OpenClaw Configuration for Private LLM Inference
A developer on r/openclaw detailed their setup for running OpenClaw with encrypted LLM inference using trusted execution environments (TEEs). They switched from standard API-key-based inference to an enclave-based encrypted backend using provider Onera, which runs inference inside AMD SEV-SNP trusted execution environments.
Technical Implementation
The key difference with this approach is that prompts are encrypted end-to-end and sent directly into hardware trusted execution environments. The client performs remote attestation first to verify the enclave identity before sending any data. This means:
- Prompts aren't visible to the host OS
- The infrastructure provider can't read the plaintext
- Inference runs inside hardware-isolated memory
OpenClaw made this integration straightforward since it supports OpenAI-compatible providers. The developer added the provider in ~/.openclaw/openclaw.json and set it as primary.
Configuration Example
Provider configuration:
{
models: {
mode: "merge",
providers: {
onera: {
baseUrl: "https://api.onera.chat/v1",
apiKey: "onr_YOUR_API_KEY_HERE",
auth: "api-key",
api: "openai-completions",
models: [
{
id: "openai/gpt-oss-120b",
name: "GPT OSS 120B (via Onera)",
reasoning: false,
input: ["text"],
cost: {
input: 0,
output: 0,
cacheRead: 0,
cacheWrite: 0
},
contextWindow: 200000,
maxTokens: 8192
}
]
}
}
}
}Setting as primary model:
{
agents: {
defaults: {
model: {
primary: "onera/openai/gpt-oss-120b"
},
models: {
"onera/openai/gpt-oss-120b": {
alias: "Onera GPT OSS 120B"
}
}
}
}
}How It Works
Under the hood:
- Client verifies the enclave via attestation
- Secure channel is established (Noise protocol)
- Prompt is processed inside the enclave
- Response is returned over the same encrypted channel
Tradeoffs Noticed
- Slightly higher latency due to attestation and secure session setup
- More moving parts compared to standard API endpoints
- Stronger guarantees around prompt confidentiality
For working with private repositories, this approach provides a cleaner trust model compared to sending plaintext to typical cloud APIs. The developer mentions other providers exploring similar TEE approaches including Phala and tinfoil AI.
📖 Read the full source: r/openclaw
👀 See Also
OpenClaw Skill Safety Scanner: 7.6% of 31,371 Skills Flagged as Dangerous
A developer built a tool that scanned the entire ClawHub registry and found 2,371 out of 31,371 skills contain dangerous patterns like wallet drainers, credential theft, and prompt injection. The tool provides API access and badges for checking skills before installation.
AI Is Breaking the Two Vulnerability Cultures: Coordinated Disclosure vs. Linux's "Bugs Are Bugs"
Jeff Kaufman analyzes how AI vulnerability discovery is fracturing both coordinated disclosure and Linux's quiet-fix culture, using the recent Copy Fail (ESP) vulnerability as a case study.
Anthropic reveals industrial-scale Claude AI data extraction by Chinese labs
Anthropic confirmed Chinese AI labs used over 24,000 fraudulent accounts to scrape 16 million exchanges from Claude, extracting safety guardrails and logic structures for military and surveillance systems.
Student contributes two security patches to OpenClaw production system
A student developer fixed a 'fail-open' vulnerability in OpenClaw's gateway logic (PR #29198) and a tabnabbing vulnerability in chat images (PR #18685), with both patches landing in production releases v2026.3.1 and v2026.2.24 respectively.