PrivateClaw runs AI agents in verifiable confidential VMs
PrivateClaw runs AI agents inside AMD SEV-SNP Trusted Execution Environments, giving users hardware-enforced memory encryption and a 5-step open-source CLI to cryptographically verify their agent's execution environment.
Score breakdown
Teams building or deploying AI agents on sensitive data can use PrivateClaw's hardware-enforced TEEs and open-source verification CLI to cryptographically confirm their workloads are isolated — removing the need to blindly trust a cloud provider with plaintext.
- 01AI agents run inside Trusted Execution Environments (TEEs) backed by AMD's SEV-SNP standard.
- 02Each user gets a dedicated Confidential VM (CVM) — no shared tenancy — with per-VM hardware memory encryption.
- 03The hypervisor cannot read guest memory; the AMD Secure Processor manages keys outside the host OS trust boundary.
PrivateClaw addresses a trust gap in hosted AI agent platforms by running agents inside Trusted Execution Environments (TEEs) using AMD's SEV-SNP standard. Unlike conventional hosted platforms that require users to trust the provider with plaintext data, PrivateClaw enforces encryption at the hardware layer. Each user receives a dedicated CVM — no shared tenancy — with memory encryption enforced by a per-VM key managed by the AMD Secure Processor, which sits outside the host OS trust boundary. Critically, the hypervisor itself cannot read guest memory. Inference also runs inside TEEs, meaning prompts and completions are private end-to-end.
Attestable builds — which would allow users to verify *what* software is running inside the TEE, not just *that* it's running in a TEE — are listed as a roadmap item.
The platform ships an open-source CLI (available at `github.com/lunal-dev/privateclaw-cli`) pre-installed on every user CVM, enabling a 5-step verification process: (1) SEV-SNP attestation — fetching a signed report from the AMD PSP and validating it against AMD's root of trust; (2) vTPM verification — confirming the virtual TPM's endorsement key is bound to the CVM's attestation; (3) host key binding — verifying the SSH host key matches the one measured in the attestation report; (4) inference endpoint check — confirming the inference proxy cert is bound to its TEE measurement; and (5) access control audit — validating that only the user's SSH key is authorized and the cloud's guest agent is disabled. The infrastructure runs on Azure Confidential Compute, with inference powered by Confidential AI's TEE-backed vLLM deployment. Attestable builds — which would allow users to verify *what* software is running inside the TEE, not just *that* it's running in a TEE — are listed as a roadmap item. Pricing includes a free tier and a Pro tier at $69/mo, and the platform can be accessed immediately via `ssh privateclaw.dev`.
Key facts
- 01AI agents run inside Trusted Execution Environments (TEEs) backed by AMD's SEV-SNP standard.
- 02Each user gets a dedicated Confidential VM (CVM) — no shared tenancy — with per-VM hardware memory encryption.
- 03The hypervisor cannot read guest memory; the AMD Secure Processor manages keys outside the host OS trust boundary.
- 04Inference also runs inside TEEs, keeping prompts and completions private.
- 05An open-source CLI enables a 5-step cryptographic verification: SEV-SNP attestation, vTPM binding, SSH host key check, inference endpoint check, and access control audit.