Run OpenClaw inside Docker, talking
transparently to a BLACKBOX AI confidential / end-to-end-encrypted model
endpoint through a local decrypting proxy — same UX as pointing OpenClaw at
api.openai.com, but every byte on the wire is AES-256-GCM sealed into a
GPU-attested enclave.
┌──────────────────────────── container ────────────────────────────┐
│ │
│ openclaw ──► http://127.0.0.1:8080/v1 (plain OpenAI JSON) │
│ │ │
│ ▼ │
│ bb-cc-proxy │
│ │ ECDH + AES-256-GCM │
└────────────────────────┼───────────────────────────────────────────┘
│
▼
https://{organisation}.blackbox.ai/enc/{provider}/{model}/{attestation,message,message_stream}
│
▼
GPU enclave · vLLM
# 1. drop your org host (and optionally an API key) in .env
cp .env.example .env
$EDITOR .env # set ENC_MODEL_URL=https://{your-org}.blackbox.ai
# optionally set BLACKBOX_API_KEY=sk-...
# (or leave it out and let each client supply its own key)
# 2. build
docker compose build openclaw
# 3. one-shot smoke test (recommended first run)
docker compose run --rm openclaw \
openclaw agent --local --session-key poc:smoketest \
--message "In one sentence, what model are you?"
# expected tail of output:
# [provider-transport-fetch] start provider=bbenc … model=google/gemma-4-31b-it
# POST /v1/chat/completions HTTP/1.1 200
# Hello! I'm using the bbenc/google/gemma-4-31b-it model.
# [agent] run … ended with stopReason=stop
# 4. interactive chat (default CMD)
docker compose run --rm openclaw
# or drop into the container for debugging:
docker compose run --rm openclaw bashBehind the scenes the container's entrypoint:
- Starts
bb-cc-proxy --enc-endpoint $ENC_MODEL_URL --model $ENC_MODEL_ID. - That performs
GET /enc/.../attestation, does the ECDH key exchange, and binds the returnedsession_id. - Waits for
http://127.0.0.1:8080/healthto report ok. - Execs
openclawwith a pre-baked~/.openclaw/openclaw.jsonthat treatshttp://127.0.0.1:8080/v1as a normal OpenAI-compatible provider namedbbenc.
OpenClaw's requests are OpenAI-shaped; the proxy converts each one into an
encrypted /message (or /message_stream) call and returns an OpenAI
chat.completion (or SSE stream) with the decrypted reply.
| Env var | Default | Purpose |
|---|---|---|
ENC_MODEL_URL |
https://{organisation}.blackbox.ai |
Required. Your org's confidential-compute host |
ENC_MODEL_ID |
google/gemma-4-31b-it |
provider/model under /enc/… |
BLACKBOX_API_KEY |
(optional) | Default upstream bearer (used when client sends no key) |
PROXY_PORT |
8080 |
Local port OpenClaw / other clients talk to |
PASSTHROUGH_API_KEY |
1 |
1 = forward client's Authorization header upstream; 0 = always use BLACKBOX_API_KEY |
By default (PASSTHROUGH_API_KEY=1) the proxy forwards each caller's
Authorization: Bearer <sk-...> header verbatim upstream to the enclave —
so multiple users on the same proxy each use their own key end-to-end, and no
key needs to be baked into the image or .env.
# no BLACKBOX_API_KEY in .env — every request must supply its own:
curl -s http://localhost:8080/v1/chat/completions \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer sk-YOUR-OWN-KEY' \
-d '{"model":"google/gemma-4-31b-it",
"messages":[{"role":"user","content":"hello"}]}'Resolution order (per request): client Authorization header → client
x-api-key header → BLACKBOX_API_KEY default → 401.
The pre-baked OpenClaw config lives at
openclaw/openclaw.json and is copied to
/root/.openclaw/openclaw.json inside the image. If you change the model, edit
both the env var and the model id in that JSON.
You can exercise the exact same proxy on your host:
git clone https://github.com/blackboxai-dev/bb-cc-proxy.git
cd bb-cc-proxy
python3 -m venv .venv && .venv/bin/pip install -e .
BLACKBOX_API_KEY=sk-... .venv/bin/bb-cc-proxy \
--enc-endpoint https://{organisation}.blackbox.ai \
--model google/gemma-4-31b-it \
--insecure-skip-attestation
# in another terminal:
curl -s http://127.0.0.1:8080/v1/chat/completions \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer sk-YOUR-KEY' \
-d '{"model":"google/gemma-4-31b-it",
"messages":[{"role":"user","content":"hello"}]}'- Attestation verification is disabled for this POC (the public
/enc/…attestation report layout differs from what the proxy's verifier was written for). The ECDH handshake and AES-GCM sealing still run — traffic between the proxy and the enclave stays end-to-end encrypted — but you are not cryptographically verifying that the far end is a real confidential GPU. Adding a public-endpoint attestation verifier is the natural next step; see the WARNING logged on startup andcc_proxy/crypto.py. - The proxy holds the AES session key and sees plaintext. Run it only on a trusted machine (the container counts as your trust boundary here).
BLACKBOX_API_KEYis read from your.envand passed into the container as an environment variable — never bake it into an image or commit it.
.
├── openclaw/
│ ├── Dockerfile # Node 24 + Python 3, both CLIs pre-installed
│ ├── entrypoint.sh # starts proxy, waits for /health, execs openclaw
│ └── openclaw.json # pre-baked config: bbenc provider → 127.0.0.1:8080
├── docker-compose.yml
├── .env.example
└── encrypted-model.md # BLACKBOX AI encrypted-model API reference
The decrypting proxy (bb-cc-proxy) is cloned into the image at build time
from https://github.com/blackboxai-dev/bb-cc-proxy — pin a specific version
with BB_CC_PROXY_REF=<sha|tag|branch> docker compose build openclaw.