Deploying an OpenClaw Instance
When OpenClaw runs in a cVM, you must use encrypted disks or enable FDE (see Enabling FDE) to protect the storage. The following steps use the construction of a Linux Unified Key Setup (LUKS) encrypted disk as an example.
- Create a LUKS encrypted disk to serve as the memory storage area. You can customize the disk size:
qemu-img create -f qcow2 disk.qcow2 10G
- Write the image to the boot configuration XML file of the cVM:
<devices> <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/path/to/disk.qcow2'/> <target dev='vdb' bus='virtio'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> </disk> </devices> - Start and log in to the cVM, install an encryption tool, and check the path for mounting the image.
- Install the encryption tool and check the block devices.
yum install cryptsetup lsblk
- Use cryptsetup to format the disk into an encrypted disk with the specified encryption mode. In this command, <disk_path> represents the pre-configured disk (e.g., /dev/vdb), which will be mapped under /dev/mapper as a Device Mapper (DM); all subsequent read and write operations will be performed through this DM (the configured password must be at least 8 characters long).Select the disk drive letter based on your actual environment to prevent damaging the system disk. (Type uppercase YES to confirm the command.)
cryptsetup luksFormat <disk_path> -c sm4-xts-plain64 --key-size 256 --hash sm3
- Decrypt and map the disk.
- Create a filesystem and mount it to the specified directory.
mkfs.ext4 /dev/mapper/crypt1 # Required for the first-time deployment only. Skip this in subsequent operations to avoid data loss. mkdir -p /mnt/crypt mount /dev/mapper/crypt1 /mnt/crypt/
- After use, unmount the directory and close the encrypted disk using cryptsetup:
umount /mnt/crypt/ cryptsetup close crypt1
- Install the encryption tool and check the block devices.
- Deploy the source and install dependencies.
- Update the Node.js 22 source. The current openEuler image does not support version check in the Node.js 22 installation script. You need to comment out the relevant code.
If wget downloads fail inside the VM due to certificate issues, resolve them by running the following commands first:
echo "check_certificate=off" > ~/.wgetrc
wget https://rpm.nodesource.com/setup_22.x sed -i '35,37s/^/#/' setup_22.x bash setup_22.x
- Install the dependencies.
yum install -y git cmake yum install -y nsolid
If the Node.js 22 installation fails due to network issues, download and install it in a stable network environment:
wget https://rpm.nodesource.com/pub_22.x/nodistro/nsolid/aarch64/nsolid-22.22.0-ns6.2.0.aarch64.rpm rpm -ivh nsolid-22.22.0-ns6.2.0.aarch64.rpm

- After the installation is complete, run the following command to verify:
node -v

- Install pnpm.
npm install -g pnpm
If the following error occurs during installation, disable certificate verification:
npm config set strict-ssl false

- Update the Node.js 22 source. The current openEuler image does not support version check in the Node.js 22 installation script. You need to comment out the relevant code.
- Install and configure OpenClaw.
- Configure environment variables.
export OPENCLAW_STATE_DIR="/mnt/crypt/.openclaw" export OPENCLAW_CONFIG_PATH="/mnt/crypt/.openclaw/openclaw.json"
- Install OpenClaw. <work_dir> indicates the directory where you want to save the downloaded OpenClaw source code.
cd <work dir> git clone https://github.com/openclaw/openclaw.git cd openclaw pnpm install
To bypass verification, run git config --global http.sslVerify false.

pnpm setup source /root/.bashrc pnpm link <absolute_path_to_openclaw> pnpm run build
If pnpm run build encounters a Node.js out-of-memory error, manually increase the memory limit by running export NODE_OPTIONS="--max-old-space-size=4096".
- Check the OpenClaw version.
openclaw -v

- Configure environment variables.