OpenClaw Cloud Backup
Backs up OpenClaw state to a local archive and uploads it to cloud storage.
Follow the steps below. Inform the user about implicit defaults applied after execution.
Backup procedure (follow every step)
Step 1: Run the backup
CODEBLOCK0
Default mode is full. Use workspace, skills, or settings only when the user explicitly asks for a narrower backup scope.
Step 2: Check backup output for encryption warning
Look at the script output from Step 1. If it contains:
INLINECODE4
ask the user:
"Your backups are not encrypted. Archives contain config, credentials, and API keys in cleartext. Want to set a passphrase? (AES-256, just the passphrase needed to restore — no key files.)"
- - If user provides a passphrase → write both via
gateway config.patch and tell the user what was saved:
-
skills.entries.cloud-backup.config.encrypt = true
-
skills.entries.cloud-backup.env.GPG_PASSPHRASE = "<passphrase>"
Then re-run the backup so the archive is encrypted.
- - If user says no / skip → continue to Step 3.
- If the warning is not present (encryption already enabled) → continue to Step 3.
Always execute this step and report the result. Backups may contain secrets — prompt every time encryption is off.
Step 3: Check script output for warnings
Look at the script output. If it contains WARN: Cloud storage is not configured, go to Step 4. Otherwise go to Step 5.
Step 4: Cloud not configured — ask user to set it up
Tell the user the backup was saved locally, then ask:
"Cloud storage isn't configured yet — backups are local only. Want to set up cloud upload? I support AWS S3, Cloudflare R2, Backblaze B2, MinIO, DigitalOcean Spaces, or any other S3-compatible service."
- - If user says yes → go to Cloud setup section below, then re-run the backup.
- If user says no / local-only → set
config.upload=false via gateway config.patch and confirm the change to the user. Done.
Always execute this step — offer cloud setup when it's missing and report what was configured.
Step 5: Report result and ensure scheduling
Report the backup paths from the script output to the user.
Then check if a daily cron job already exists for cloud-backup (cron action=list). If no cron job exists, create one with the default schedule and tell the user:
CODEBLOCK1
Default: daily at 2 AM. Use a different schedule if it was explicitly asked for one.
Tell the user: "Scheduled daily backup at 2 AM." (or whatever time was set).
This step should be executed by default unless user asked not to do it. Report about the result — cron job created or failed to be created.
Cloud setup
When the user agrees to configure cloud storage:
- 1. Ask which provider: AWS S3, Cloudflare R2, Backblaze B2, MinIO, DigitalOcean Spaces, or other.
- Read the matching provider guide from
references/providers/ — it has exact config keys, endpoint format, and credential steps. - Collect and write config via
gateway config.patch — bucket, credentials, endpoint (if non-AWS). - Run
status to verify connectivity, then re-run backup.
Commands
CODEBLOCK2�
| Command | What it does |
|---|
| INLINECODE15 | Create archive + upload if configured. Default: �INLINECODE16 |
| INLINECODE17 |
Show local + remote backups |
|
restore <name> [--dry-run] [--yes] | Restore from local or cloud. Always
--dry-run first |
|
cleanup | Prune old archives (local: capped at 7; cloud: count + age) |
|
status | Show current config and dependency check |
Config reference
All in skills.entries.cloud-backup in OpenClaw config. Don't write defaults — the script handles them.
config.*
| Key | Default | Description |
|---|
| INLINECODE24 | — | Storage bucket name (required for cloud) |
| INLINECODE25 |
us-east-1 | Region hint |
|
endpoint |
(none) | S3-compatible endpoint (required for non-AWS) |
|
profile |
(none) | Named AWS CLI profile (alternative to keys) |
|
upload |
true | Upload to cloud after backup |
|
encrypt |
false | GPG-encrypt archives |
|
retentionCount |
10 | Cloud: keep N backups. Local: capped at 7 |
|
retentionDays |
30 | Cloud only: delete archives older than N days |
env.*
| Key | Description |
|---|
| INLINECODE38 | S3-compatible access key |
| INLINECODE39 |
S3-compatible secret key |
|
SESSION_TOKEN | Optional temporary token |
|
GPG_PASSPHRASE | For automated encryption/decryption |
Provider guides
Read the relevant one only during setup:
- - �INLINECODE42
- INLINECODE43
- INLINECODE44
- INLINECODE45
- INLINECODE46
- INLINECODE47� — any S3-compatible service
Security
See references/security.md for credential handling and troubleshooting.
OpenClaw 云备份
将 OpenClaw 状态备份到本地存档并上传至云存储。
请按照以下步骤操作。执行完成后告知用户已应用的隐式默认设置。
备份流程(请遵循每一步)
步骤 1:运行备份
bash
bash {baseDir}/scripts/cloud-backup.sh backup full
默认模式为 full。仅在用户明确要求缩小备份范围时使用 workspace、skills 或 settings。
步骤 2:检查备份输出中的加密警告
查看步骤 1 的脚本输出。如果包含:
WARN: Encryption is disabled — backup archive will be stored in plaintext.
请询问用户:
您的备份未加密。存档中包含明文形式的配置、凭据和 API 密钥。是否要设置密码短语?(AES-256,只需密码短语即可恢复——无需密钥文件。)
- - 如果用户提供密码短语 → 通过 gateway config.patch 写入两项配置,并告知用户已保存的内容:
- skills.entries.cloud-backup.config.encrypt = true
- skills.entries.cloud-backup.env.GPG_PASSPHRASE =
然后重新运行备份,以便存档被加密。
- - 如果用户拒绝/跳过 → 继续执行步骤 3。
- 如果未出现警告(加密已启用)→ 继续执行步骤 3。
始终执行此步骤并报告结果。备份可能包含机密信息——每次加密关闭时都要提示。
步骤 3:检查脚本输出中的警告
查看脚本输出。如果包含 WARN: Cloud storage is not configured,则进入步骤 4。否则进入步骤 5。
步骤 4:云存储未配置——请用户设置
告知用户备份已保存在本地,然后询问:
云存储尚未配置——备份仅限本地。是否要设置云上传?我支持 AWS S3、Cloudflare R2、Backblaze B2、MinIO、DigitalOcean Spaces 或任何其他兼容 S3 的服务。
- - 如果用户同意 → 进入下方的云存储设置部分,然后重新运行备份。
- 如果用户拒绝/仅本地 → 通过 gateway config.patch 设置 config.upload=false 并向用户确认更改。完成。
始终执行此步骤——当云存储缺失时提供设置选项,并报告已配置的内容。
步骤 5:报告结果并确保定时任务
向用户报告脚本输出中的备份路径。
然后检查 cloud-backup 是否已存在每日 cron 任务(cron action=list)。如果不存在 cron 任务,则使用默认计划创建一个,并告知用户:
json
{
schedule: { kind: cron, expr: 0 2 * },
payload: { kind: agentTurn, message: Run cloud-backup: backup full },
sessionTarget: isolated
}
默认:每天凌晨 2 点。如果用户明确要求其他时间,则使用不同的计划。
告知用户:已安排每日备份,时间为凌晨 2 点。(或设置的其他时间)。
除非用户要求不执行,否则默认执行此步骤。报告结果——cron 任务创建成功或创建失败。
云存储设置
当用户同意配置云存储时:
- 1. 询问使用哪个提供商:AWS S3、Cloudflare R2、Backblaze B2、MinIO、DigitalOcean Spaces 或其他。
- 从 references/providers/ 读取对应的提供商指南——其中包含准确的配置键、端点格式和凭据步骤。
- 通过 gateway config.patch 收集并写入配置——存储桶、凭据、端点(若非 AWS)。
- 运行 status 验证连接,然后重新运行备份。
命令
bash {baseDir}/scripts/cloud-backup.sh
| 命令 | 功能 |
|---|
| backup [full\ | workspace\ | skills\ | settings] | 创建存档 + 如已配置则上传。默认:full |
| list |
显示本地 + 远程备份 |
| restore [--dry-run] [--yes] | 从本地或云存储恢复。始终先使用 --dry-run |
| cleanup | 清理旧存档(本地:最多保留 7 个;云存储:按数量 + 时间) |
| status | 显示当前配置和依赖检查 |
配置参考
全部位于 OpenClaw 配置的 skills.entries.cloud-backup 中。不要写入默认值——脚本会处理它们。
config.*
| 键 | 默认值 | 描述 |
|---|
| bucket | — | 存储桶名称(云存储必需) |
| region |
us-east-1 | 区域提示 |
| endpoint | (无) | 兼容 S3 的端点(非 AWS 必需) |
| profile | (无) | 命名的 AWS CLI 配置文件(替代密钥) |
| upload | true | 备份后上传到云存储 |
| encrypt | false | 使用 GPG 加密存档 |
| retentionCount | 10 | 云存储:保留 N 个备份。本地:最多保留 7 个 |
| retentionDays | 30 | 仅云存储:删除早于 N 天的存档 |
env.*
| 键 | 描述 |
|---|
| ACCESSKEYID | 兼容 S3 的访问密钥 |
| SECRETACCESSKEY |
兼容 S3 的秘密密钥 |
| SESSION_TOKEN | 可选的临时令牌 |
| GPG_PASSPHRASE | 用于自动加密/解密 |
提供商指南
仅在设置期间读取相关指南:
- - references/providers/aws-s3.md
- references/providers/cloudflare-r2.md
- references/providers/backblaze-b2.md
- references/providers/minio.md
- references/providers/digitalocean-spaces.md
- references/providers/other.md——任何兼容 S3 的服务
安全
有关凭据处理和故障排除,请参阅 references/security.md。
