Data encryption

MultiClaw encrypts credentials and API keys stored in MultiClaw Cloud and secures all external traffic in transit with TLS. Your local OpenClaw config file, conversation history, and agent definitions are stored as plain text on your device, protected only by OS file permissions.

Protection overview

On your device:

Data	Protection at rest
API keys and credentials in `~/.openclaw/openclaw.json`	Not encrypted (plain JSON, OS file permissions)
Desktop app authentication bearer token	Not encrypted (WebView local storage)
Conversations in `~/.openclaw/conversations/`	Not encrypted (plain JSON, OS file permissions)
Agent definitions, skill files, workflow recordings	Not encrypted (plain JSON, OS file permissions)

In MultiClaw Cloud (when connected to a workspace):

Data	Protection at rest
LLM API keys and instance credentials	AWS disk encryption + application-layer AES-256
Synced conversations	AWS disk encryption
Synced agent definitions and skill files	AWS disk encryption
Workspace and account metadata	AWS disk encryption

Encryption at rest

Local device

Your local OpenClaw config file (~/.openclaw/openclaw.json) is stored as plain JSON on disk. It is not encrypted. Access is limited by OS file permissions. Only your user account can read the file.

The OpenClaw runtime stores all configuration as plain JSON files. MultiClaw reads and writes these files but does not apply its own encryption layer.

The desktop app's authentication bearer token is stored in the WebView's local storage. The bearer token is separate from the gateway workspace auth token, which is stored in ~/.openclaw/openclaw.json alongside the API keys. Neither token is encrypted at rest on the local device.

MultiClaw Cloud

Workspace data stored in MultiClaw Cloud is hosted on AWS, which encrypts storage volumes at rest using AWS-managed encryption keys. Sensitive values — such as LLM API keys and instance credentials — receive an additional layer of protection: they are encrypted at the application layer using AES-256 before being stored. When MultiClaw Cloud syncs your configuration to a cloud desktop instance, it also encrypts API keys and credentials with AES-256-GCM in the sync payload, using a key derived from your instance token.

Application-layer encryption keys for credentials are managed by MultiClaw's infrastructure. Workspace members do not hold or control these keys.

Encryption in transit

All traffic between MultiClaw components and external services travels over encrypted connections. The only exception is the link between the desktop app and the local OpenClaw gateway, which uses an unencrypted connection on localhost. This traffic never leaves your machine.

Connection	Protocol
Desktop app ↔ MultiClaw Cloud (HTTP)	HTTPS: TLS 1.2 minimum, TLS 1.3 preferred
Gateway ↔ MultiClaw Cloud (WebSocket)	WSS (WebSocket Secure): TLS-encrypted
Desktop app ↔ local OpenClaw gateway	WS/HTTP on localhost: unencrypted, never leaves your machine
Local gateway → LLM provider API	HTTPS: TLS-encrypted
Cloud desktop viewer (WebRTC)	DTLS-SRTP: standard encryption for peer-to-peer media

What is not encrypted locally

The local files listed in the protection overview use OS file permissions as their only protection. That's sufficient against remote access, but it doesn't protect against physical access to your device.

If your device is lost, stolen, or accessed by someone with your OS credentials, these files are readable. Full-disk encryption closes this gap.

When you connect to a workspace, conversations, agent definitions, and skill files sync to MultiClaw Cloud, where they receive AWS disk encryption.

Enable full-disk encryption

Full-disk encryption protects all files on your device, including the plain-text data listed above, from unauthorized physical access.

macOS: Open System Settings → Privacy & Security → FileVault and turn FileVault on.
Windows: Open Settings → Privacy & security → Device encryption, or search for BitLocker on Pro and Enterprise editions.
Linux: Most distributions offer LUKS encryption during installation. If your disk is not already encrypted, back up your data and reinstall with the encryption option enabled.

Shared responsibility

MultiClaw encrypts your credentials and API keys in the cloud. Protecting your local device is your responsibility.

Area	Who handles it	Protection
API keys and credentials in MultiClaw Cloud	MultiClaw	AES-256 application encryption + AWS disk encryption
Cloud storage volumes	AWS	AWS-managed disk encryption
Traffic between MultiClaw and external services	MultiClaw	TLS 1.2+ for HTTP, WSS for WebSocket
Local config, agent files, and conversations	You	OS file permissions + full-disk encryption
Authentication tokens on your device	You	OS file permissions + full-disk encryption

What you can verify

Full-disk encryption: Check your OS settings using the instructions above. On macOS, look for "FileVault: On" in System Settings → Privacy & Security. On Windows, look for "Device encryption is on" in Settings → Privacy & security.

Transit encryption: All connections from the desktop app and Gateway to MultiClaw Cloud use HTTPS and WSS. You can confirm this with browser developer tools or a network monitoring tool — all external traffic will show TLS certificates issued to MultiClaw domains.

Cloud encryption at rest: Application-layer encryption of cloud-stored credentials is handled transparently by MultiClaw's infrastructure. You cannot inspect it directly — this is a trust boundary inherent to any cloud-hosted service.

Tip:

MultiClaw Cloud encrypts credentials and API keys stored in its database. Local files on your device — including config, conversations, and agent data — are not encrypted by MultiClaw. Full-disk encryption is the most effective way to protect them.

Related articles