🦞clawempire
Install help
🦞Claw Empire private client portal

Linux host

Prepare a Linux host for Hermes onboarding.

Follow these steps before the install call when Hermes will run on a dedicated Linux workstation, mini PC, or server.

Install targetLinux step-by-step guide

Best fit for clients who already operate a stable Linux machine or server with clear admin ownership.

Start Step 1Onboarding hub
Use caseBest fit for clients who already operate a stable Linux machine or server with clear admin ownership.
RuntimeFresh Claw Empire installs deploy Hermes only.
SecretsUse your vault or OAuth flow; do not paste credentials.

Step-by-step guide

Do these in order before install day.

Complete as much as your policy allows. If a step is blocked, note who can approve or unblock it during onboarding.

Step 1

Choose a maintained Linux host

Use a supported, maintained distribution such as Ubuntu LTS or Debian stable unless we have agreed on another target. Tell us if the host runs other production services that cannot be restarted.

Claw Empire guide image showing a maintained Linux host selected for Hermes onboarding.CLAW EMPIRE GUIDELinux hostUbuntu LTS / DebianPRIVATE SETUP • HERMES FRESH INSTALL

Step 2

Confirm sudo and home directory access

Confirm the account used for setup can run sudo and create files in its home directory. Keep credentials in your password manager or internal vault.

Claw Empire guide image showing Linux sudo access approved for the setup account.CLAW EMPIRE GUIDEAdmin readysudo/admin: approvedPRIVATE SETUP • HERMES FRESH INSTALL

Step 3

Patch packages and reboot if needed

Install all pending security and package updates, then reboot if the kernel or core services changed. Check disk space and memory so package installation and logs do not fail mid-setup.

Claw Empire guide image showing Linux package manager updates, disk, and memory checks.CLAW EMPIRE GUIDEPackages readyapt update && upgradePRIVATE SETUP • HERMES FRESH INSTALL

Step 4

Prepare network and SSH posture

Keep the machine on reliable power and a trusted private network. Confirm SSH access only if we ask for it, use scoped keys, and remove temporary access at handoff unless ongoing support requires it.

Claw Empire guide image showing scoped Linux SSH access and network readiness.CLAW EMPIRE GUIDESSH posturessh: scoped keysssh -i scoped_keyPRIVATE SETUP • HERMES FRESH INSTALL

Step 5

Document blockers before the call

Document any corporate firewall, endpoint security, outbound proxy, or package repository restrictions that could block installation.

Claw Empire guide image showing Linux setup constraints documented in a secure handoff note.CLAW EMPIRE GUIDEVault and MFAvault + MFA readyPRIVATE SETUP • HERMES FRESH INSTALL
Useful checksuname -adf -hfree -hsudo apt update && sudo apt upgrade -y

Shared prep

Bring the right owner and approvals.

OS readiness is only half the install. We also need account owners, MFA, and access boundaries available during the call.

Account readiness

  • Decide which always-on computer will host Hermes. Keep it on reliable power, a trusted private network, and at the location where it will normally operate.
  • Make sure the business owner or operator can approve access decisions and use an administrator account during the call.
  • Keep MFA devices, password manager access, approved accounts, and off-limits systems ready. Do not send passwords, private keys, recovery keys, or tokens in chat or email.
  • Use a private, trusted network. Avoid hotel, airport, café, and conference Wi-Fi for install day.
  • Tell us before the call about device-management, firewall, VPN, antivirus, IP allowlisting, or vendor-review constraints.

Platform notes

  • If this host runs other production services, tell us what cannot be restarted before the call begins.
  • Keep credentials in your password manager or internal vault; do not paste private keys or tokens into support threads.

Install day agenda

What we will walk through together.

Step 1

Confirm scope, owner, machine, and access boundary.

Step 2

Verify OS, network, shell, package manager, and remote access posture.

Step 3

Install and configure Hermes on your infrastructure.

Step 4

Connect approved accounts and integrations through secure OAuth or password-manager flows.

Step 5

Run supervised test workflows with clear approval gates.

Step 6

Document operating commands, recovery notes, and the handoff checklist.

Handoff boundary

Hermes launches under supervision.

Legacy OpenClaw support is diagnostic-only unless explicitly scoped. The legacy path is ~/.openclaw/. No alternate legacy directory applies.

  • Run Hermes in supervised mode first; treat the first week as calibration.
  • Keep one owner responsible for policy: autonomous actions, confirmation-required actions, and off-limits systems.
  • Store handoff notes, recovery steps, and account ownership in your internal docs or password manager.
  • Rotate temporary credentials and remove temporary remote access that is not part of ongoing support.

Other install targets

Need a different OS guide?

macOS step-by-step guide illustrationCLAW EMPIRE GUIDEInstall hosthost: power + networkPRIVATE SETUP • HERMES FRESH INSTALL

macOS workstation

macOS step-by-step guide

Best fit for an always-on Mac mini in the client office or home office.

Open macOS guide →Windows step-by-step guide illustrationCLAW EMPIRE GUIDEInstall hosthost: power + networkPRIVATE SETUP • HERMES FRESH INSTALL

Windows 11 + WSL2

Windows step-by-step guide

Best fit when the client machine is Windows but the runtime should stay in a Linux environment.

Open Windows guide →
🦞Claw Empire setup desk

Need a decision?

Ask before install day.

If a company policy, device constraint, or access question changes the plan, send it to your Claw Empire contact before the call. The goal is a prepared handoff, not last-minute privilege escalation.

Ask a setup questionReturn to Hub