OpenClaw Security Hardening: Production Setup Guide

Running OpenClaw in production — especially for business use — requires proper security hardening beyond the defaults. This guide walks through every important hardening step.

1. System User and Permissions

Run OpenClaw as a dedicated non-root user:

sudo useradd -r -s /sbin/nologin openclaw
sudo chown -R openclaw:openclaw /opt/openclaw
sudo chmod 750 /opt/openclaw
sudo chmod 600 /opt/openclaw/openclaw.json

Never run OpenClaw as root.

2. Network Isolation

If running on a VPS, restrict inbound connections:

# Allow only necessary ports
ufw default deny incoming
ufw allow 22/tcp    # SSH (or your custom port)
ufw allow 8443/tcp  # OpenClaw API (HTTPS)
ufw enable

If OpenClaw only needs outbound connections (no public API), deny all inbound except SSH.

3. Reverse Proxy with SSL

Never expose OpenClaw directly. Use nginx with SSL:

server {
    listen 443 ssl http2;
    server_name your-domain.com;
    
    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
    
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

4. Docker Security (Recommended)

Run in Docker with security constraints:

# docker-compose.yml security additions
services:
  openclaw:
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    read_only: true
    tmpfs:
      - /tmp
    user: "1000:1000"

5. tools.allow Strict Configuration

Apply principle of least privilege to your agent:

{
  "tools": {
    "allow": [
      "read-email",
      "read-calendar", 
      "brave-search"
    ]
  }
}

Only add permissions when you specifically need them.

6. Audit Logging

Enable comprehensive logging:

{
  "logging": {
    "level": "info",
    "log_tool_calls": true,
    "log_to_file": "/var/log/openclaw/agent.log",
    "rotate_daily": true,
    "retain_days": 30
  }
}

Review logs weekly for unexpected tool calls or access patterns.

7. Automatic Updates

Configure automatic security updates:

# systemd timer for nightly updates
sudo systemctl enable openclaw-update.timer

Or use nacre.sh which handles updates automatically.

Security Checklist

• Non-root system user
• Restrictive file permissions (600 on config)
• Firewall with deny-by-default inbound
• SSL/TLS via reverse proxy
• Docker security constraints
• tools.allow with minimum permissions
• Secrets system for API keys
• Spending limits on LLM accounts
• Audit logging enabled
• Automatic security updates

Frequently Asked Questions

Is there an official security benchmark for OpenClaw?

The OpenClaw Foundation publishes a CIS-style security benchmark document (OpenClaw-Hardening-Guide.pdf) at openclaw.dev/security.

How often should I review my security configuration?

Quarterly review minimum. Review immediately after any CVE or after adding new skills or integrations.

Does nacre.sh implement all of these measures?

nacre.sh handles all infrastructure security (network isolation, SSL, updates, key management) automatically. Users on nacre.sh only need to focus on tools.allow configuration.