Encrypted Credential Vault & Security Layer for OpenClaw
ClosedClaw protects your API keys and sensitive credentials by storing them in an AES-256-GCM encrypted vault. It runs as a daemon that sits between you and OpenClaw, injecting credentials at runtime without ever storing them in plaintext.
# Install globally
npm install -g closedclaw
# Initialize your vault
closedclaw init
# Store your API keys
closedclaw store anthropic sk-ant-api03-xxxxx
closedclaw store openai sk-xxxxx
closedclaw store elevenlabs xxxxx
# Start the daemon
closedclaw start
# Check status
closedclaw status┌──────────────┐ ┌───────────────┐ ┌──────────────┐
│ You/Apps │ ───▶ │ ClosedClaw │ ───▶ │ OpenClaw │
│ │ │ (Daemon) │ │ Gateway │
└──────────────┘ └───────────────┘ └──────────────┘
│
▼
┌───────────────┐
│ Encrypted │
│ Vault │
│ (AES-256) │
└───────────────┘
- Initialize: Create an encrypted vault with your master passphrase
- Store: Add API keys - they're encrypted immediately
- Start: Launch the daemon, unlock with your passphrase
- Use: The daemon injects credentials into OpenClaw requests
| Feature | Description |
|---|---|
| AES-256-GCM | Military-grade encryption for all stored data |
| scrypt KDF | Passphrase-derived keys with high memory cost |
| Secure Permissions | Files created with 0600 mode (owner-only) |
| Memory Safety | Credentials cleared from memory when locked |
| No Plaintext | API keys never written to disk unencrypted |
Initialize a new encrypted vault. You'll create a master passphrase.
Store an API key for a provider (e.g., anthropic, openai, elevenlabs).
List all stored providers (keys are never displayed).
Remove a stored credential.
Start the daemon. Use -f to run in foreground.
Stop the running daemon.
Show vault and daemon status.
View or update configuration.
--daemon-port <port>: Set ClosedClaw's port (default: 3847)--openclaw-port <port>: Set OpenClaw gateway port (default: 3000)
ClosedClaw stores its config at ~/.closedclaw/config.json:
{
"daemon": {
"port": 3847,
"host": "127.0.0.1"
},
"openclaw": {
"gatewayUrl": "http://127.0.0.1",
"gatewayPort": 3000
}
}Update your OpenClaw configuration to use ClosedClaw as the gateway:
{
"gateway": {
"port": 3847
}
}Or set the environment variable:
export OPENCLAW_GATEWAY_URL=http://127.0.0.1:3847| File | Location | Purpose |
|---|---|---|
| Config | ~/.closedclaw/config.json |
Settings & preferences |
| Vault | ~/.closedclaw/vault.enc |
Encrypted credentials |
| PID | ~/.closedclaw/closedclaw.pid |
Daemon process ID |
# Clone the repo
git clone https://github.com/closedclaw/closedclaw.git
cd closedclaw
# Install dependencies
pnpm install
# Run in dev mode
pnpm dev
# Build
pnpm build
# Test
pnpm testMIT © ClosedClaw Team
🦞 OpenClaw + 🔐 ClosedClaw = Secure AI