Encrypt Your OpenClaw API Keys in 12 Minutes

Stop storing OpenClaw credentials in plaintext. Secure API keys with system keychains, auth profiles, and hardware-gated secrets.
·
5 min read
·
Mark
·
Security

Problem: Your OpenClaw Credentials Are Exposed

OpenClaw stores API keys in ~/.openclaw/openclaw.json as plaintext by default. Security researchers found hundreds of exposed instances with Anthropic, OpenAI, and Slack tokens visible in config files.

You'll learn:

  • Why plaintext credentials are dangerous in OpenClaw
  • How to use auth profiles and system keychains
  • When to use hardware-gated secret management

Time: 12 min | Level: Intermediate

Why This Happens

OpenClaw prioritizes ease of setup over security. When you run openclaw onboard, credentials get written directly to JSON config files. This creates multiple exposure vectors:

Common risks:

  • Config files committed to git repositories
  • Agent reads its own config via file access tools
  • Prompt injection extracts credentials from context
  • Directory listings leak to chat channels

Recent scans found that 7% of ClawHub skills instruct agents to mishandle secrets, passing API keys through LLM context windows where they're logged by model providers.

Solution

Step 1: Check Current Credential Storage

# View where your keys are stored
cat ~/.openclaw/openclaw.json | grep -A 2 "apiKeys"

Expected output:

"apiKeys": {
  "anthropic": "sk-ant-api03-...",
  "openai": "sk-..."
}

If you see actual API keys here, they're in plaintext.

Step 2: Migrate to Auth Profiles

Auth profiles store credentials in your system keychain instead of config files.

# Create auth profile structure
mkdir -p ~/.openclaw/agents/default/agent

Edit ~/.openclaw/openclaw.json and add:

{
  "agents": {
    "list": [
      {
        "id": "default",
        "auth": {
          "profiles": {
            "anthropic": {
              "provider": "anthropic",
              "keychain": true
            }
          }
        }
      }
    ]
  }
}

Why this works: The keychain: true flag tells OpenClaw to retrieve credentials from your OS keychain rather than the config file.

Step 3: Store Keys in System Keychain

macOS (uses Keychain):

# Store Anthropic key
security add-generic-password \
  -s "openclaw-anthropic" \
  -a "api-key" \
  -w "sk-ant-api03-YOUR-ACTUAL-KEY"

# Verify it's stored
security find-generic-password -s "openclaw-anthropic" -w

Linux (uses Secret Service):

# Install secret-tool if needed
sudo apt install libsecret-tools

# Store key
secret-tool store --label='OpenClaw Anthropic' \
  service openclaw-anthropic \
  account api-key

# Verify
secret-tool lookup service openclaw-anthropic account api-key

Windows (uses Credential Manager):

# Store using cmdkey
cmdkey /generic:"openclaw-anthropic" /user:"api-key" /pass:"sk-ant-YOUR-KEY"

# Verify
cmdkey /list | Select-String "openclaw"

Expected: Key retrieval returns your API key without errors.

If it fails:

  • Error: "security: SecKeychainItemCopyContent failed" → Key doesn't exist, run the storage command again
  • Error: "secret-tool: No such secret" → Secret Service isn't running, start gnome-keyring-daemon

Step 4: Remove Plaintext Keys from Config

# Backup original config
cp ~/.openclaw/openclaw.json ~/.openclaw/openclaw.json.backup

# Remove apiKeys section
# Edit manually or use this script
node -e "
const fs = require('fs');
const config = JSON.parse(fs.readFileSync(process.env.HOME + '/.openclaw/openclaw.json'));
delete config.apiKeys;
fs.writeFileSync(process.env.HOME + '/.openclaw/openclaw.json', JSON.stringify(config, null, 2));
"

Verify the file:

cat ~/.openclaw/openclaw.json | grep -i "sk-"

Expected: No API keys visible in the output.

Step 5: Test the Configuration

# Restart OpenClaw gateway
openclaw gateway stop
openclaw gateway start

# Send a test message
echo "Test: generate a haiku about security" | openclaw chat

You should see: OpenClaw successfully generates a response using the keychain-stored API key.

If it fails:

  • Error: "No API key found" → Auth profile config is incorrect, check Step 2
  • Error: "Permission denied accessing keychain" → Grant Terminal access in System Preferences > Security

Advanced: Hardware-Gated Secrets

For production deployments, use hardware-backed secret managers that require physical confirmation.

Option 1: 1Password CLI

# Install 1Password CLI
brew install --cask 1password-cli

# Store key with biometric gate
op item create \
  --category=password \
  --title="OpenClaw Anthropic" \
  --vault="Private" \
  password="sk-ant-YOUR-KEY"

# Configure OpenClaw to use 1Password
# In openclaw.json:
{
  "secrets": {
    "backend": "1password",
    "item": "OpenClaw Anthropic"
  }
}

Key benefit: Agent cannot extract secrets without Touch ID confirmation.

Option 2: AWS Secrets Manager

# Store secret in AWS
aws secretsmanager create-secret \
  --name openclaw/anthropic \
  --secret-string "sk-ant-YOUR-KEY"

# Configure OpenClaw
export OPENCLAW_SECRET_BACKEND=aws
export AWS_REGION=us-east-1

Key benefit: Automatic rotation, audit logging, IAM controls.

Option 3: Use openclaw-secure Package

# Install the security package
npm install -g openclaw-secure

# Initialize with 1Password backend
openclaw-secure init --backend 1password

# Migrate existing keys
openclaw-secure migrate

This package provides:

  • ✅ Config file reads show placeholders only
  • ✅ Prompt injection can't exfiltrate secrets
  • ✅ Safe to commit config to git
  • ✅ No secrets visible in file browsers

Verification

Security checklist:

# 1. No plaintext keys in config
grep -r "sk-" ~/.openclaw/*.json
# Expected: No matches

# 2. Keys stored in keychain
security find-generic-password -s "openclaw-anthropic"
# Expected: Password exists

# 3. Agent can still authenticate
openclaw message send --target test --message "ping"
# Expected: Success without key errors

# 4. Config is safe to share
cat ~/.openclaw/openclaw.json
# Expected: No API keys visible

What You Learned

  • OpenClaw's default storage is insecure by design
  • Auth profiles + system keychains eliminate config file leaks
  • Hardware-gated backends protect against agent memory access
  • 1Password/AWS integration adds biometric confirmation

Limitations:

  • Keys still exist in gateway process memory while running
  • Root access can read process memory
  • Doesn't protect against compromised model providers

When NOT to use this:

  • Quick local testing where security isn't critical
  • Disposable API keys with strict rate limits
  • Air-gapped development environments

Additional Security Measures

Restrict File Access

Add to your agent config to prevent credential leaks:

{
  "agents": {
    "list": [{
      "tools": {
        "deny": [
          "read",
          "write", 
          "exec"
        ]
      },
      "sandbox": {
        "mode": "all",
        "workspaceAccess": "none"
      }
    }]
  }
}

Monitor for Exposed Instances

# Check if your gateway is publicly accessible
curl -I http://localhost:18789

# Should return: Connection refused (if properly firewalled)
# Should NOT return: HTTP/1.1 200 OK

Use gateway.bind: "loopback" in config to prevent external access.

Rotate Keys Regularly

# Generate new Anthropic key at https://console.anthropic.com
# Update keychain
security delete-generic-password -s "openclaw-anthropic"
security add-generic-password -s "openclaw-anthropic" -a "api-key" -w "NEW-KEY"

# Restart gateway
openclaw gateway restart

Set a calendar reminder to rotate keys every 90 days.

Tested on OpenClaw 0.x, macOS 14+, Ubuntu 24.04, Windows 11

Security Notice: These methods protect against file-based leaks and casual snooping. They do NOT protect against:

  • Root-level system compromise
  • Memory inspection of running processes
  • Compromised secret manager backends
  • Supply chain attacks via malicious skills

For enterprise deployments, consider running OpenClaw in isolated containers with Composio's managed authentication to completely remove API keys from the agent environment.