Self-Hosting Security

Your server, your keys, your data. Complete data sovereignty with OpenClaw's self-hosted architecture.

Why Self-Hosting Matters for Security

When you self-host OpenClaw, the application runs entirely on hardware you control. There is no third-party service between you and your AI provider. This eliminates entire categories of security risk.

Data sovereignty

Your conversations, memory files, and configuration never leave your network. You decide where data lives, how long it's retained, and who can access it.

No vendor dependency

You're not trusting a SaaS provider to store your API keys, conversation history, or personal data. If OpenClaw the company disappeared tomorrow, your self-hosted instance keeps running.

Compliance on your terms

GDPR, HIPAA, SOC 2 — when data never leaves your infrastructure, compliance is between you and your own security policies. No vendor DPAs needed.

Architecture: Your Server, Your Data

How data flows in a self-hosted OpenClaw deployment.

Your device

You (WhatsApp / Telegram / Slack)

↓

Your server

OpenClaw Memory & config files (local disk) API keys (.env file)

↓

External

AI Provider (OpenAI / Anthropic)

Key point: The only external service that sees your messages is your AI provider. OpenClaw has no servers in between. When you run with local models (Ollama), even the AI provider is eliminated.

Network Isolation Options

Multiple layers of network security for your self-hosted instance.

🐳

Docker Container Isolation

Run OpenClaw in a Docker container with restricted network access, resource limits, and filesystem isolation from your host system.

🔐

Tailscale / WireGuard VPN

Access your OpenClaw instance only through a private mesh VPN. No ports exposed to the public internet.

🚇

Cloudflare Tunnel

Expose your instance through an encrypted tunnel without opening firewall ports. Add Cloudflare Access for identity-based authentication.

🔥

Host Firewall (UFW / iptables)

Lock down your server to allow only SSH and necessary outbound connections to AI providers. Block all unsolicited inbound traffic.

Quick Secure Setup

Get OpenClaw running on your server in three steps.

1. Pull the Docker image

Download the docker-compose configuration to your server. All data stays in the local directory you create.

terminal

mkdir -p ~/openclaw && cd ~/openclaw
curl -O https://raw.githubusercontent.com/openclaw/openclaw/main/docker-compose.yml

2. Configure your API keys

Create a .env file with your AI provider keys. This file stays on your disk — it's never uploaded anywhere.

.env

"comment"># .env — stored on YOUR machine only
ANTHROPIC_API_KEY=sk-ant-xxxxx
TELEGRAM_BOT_TOKEN=123456:ABC-xxxxx

"comment"># Optional: restrict to localhost only
OPENCLAW_HOST=127.0.0.1
OPENCLAW_PORT=3000

3. Start and verify

Launch the container and verify everything is running. Your OpenClaw instance is now live on your server.

terminal

docker compose up -d

"comment"># Verify it's running
docker compose ps
docker compose logs --tail=20

Self-Hosted vs. Cloud AI Assistants

Aspect	Self-Hosted OpenClaw	Cloud AI Assistants
Data location	Your server	Vendor data center
API key storage	Local .env file	Vendor key vault
Network control	Your firewall rules	Vendor-managed
Code auditability	Full source code	Not available
Compliance	Your policies	Vendor DPA required

Ready to Self-Host?

Follow the full self-hosting guide with hardware recommendations, step-by-step setup, and remote access configuration.

Full Setup Guide → ← Security Overview