{"skill":{"slug":"backup-and-restore","displayName":"Backup & Restore","summary":"Backup, restore, disaster recovery, and migration for OpenClaw. Encrypts and stores ~/.openclaw/ locally and to cloud destinations (S3, R2, B2, GCS, Google D...","description":"---\nname: backup\ndescription: Backup, restore, disaster recovery, and migration for OpenClaw. Encrypts and stores ~/.openclaw/ locally and to cloud destinations (S3, R2, B2, GCS, Google Drive, rsync). Use when the user asks about backups, snapshots, disaster recovery, migration, or restoring OpenClaw from a backup.\nmetadata:\n  {\n    \"openclaw\":\n      {\n        \"requires\": { \"bins\": [\"gpg\", \"tar\"], \"optionalBins\": [\"jq\", \"aws\", \"gsutil\", \"gcloud\", \"b2\", \"rclone\", \"rsync\"] },\n        \"env\": [\"BACKUP_PASSPHRASE\", \"BACKUP_ENCRYPT\", \"BACKUP_RETAIN_DAYS\", \"BACKUP_STOP_GATEWAY\", \"BACKUP_DIR\"],\n        \"credentials\": [\"~/.openclaw/credentials/backup/backup-passphrase\"],\n        \"optionalCredentials\": [\"~/.openclaw/credentials/backup/aws-credentials\", \"~/.openclaw/credentials/backup/r2-credentials\", \"~/.openclaw/credentials/backup/b2-credentials\", \"~/.openclaw/credentials/backup/gcs-key.json\", \"~/.openclaw/credentials/backup/rclone.conf\"],\n      },\n  }\n---\n\n# Backup Skill\n\nBackup and restore your entire OpenClaw installation — config, credentials, workspace, memory, and skills.\n\n## Requirements\n\n**Required:** `gpg`, `tar` (typically pre-installed on Linux)\n\n**Optional** (for cloud uploads): `jq`, `aws` (S3/R2), `gsutil`/`gcloud` (GCS), `b2` (Backblaze), `rclone` (Google Drive), `rsync`\n\n**Environment variables:** `BACKUP_PASSPHRASE`, `BACKUP_ENCRYPT`, `BACKUP_RETAIN_DAYS`, `BACKUP_STOP_GATEWAY`, `BACKUP_DIR`\n\n**Credential files** (created during setup, stored at `~/.openclaw/credentials/backup/`):\n- `backup-passphrase` — required for encrypted full backups\n- `aws-credentials`, `r2-credentials`, `b2-credentials`, `gcs-key.json`, `rclone.conf` — optional, per cloud provider\n\n## Quick Start\n\n```bash\n# Run a backup now — creates TWO files: full (encrypted) + workspace-only\n~/.openclaw/workspace/skills/backup/scripts/backup.sh\n\n# Upload both backups to configured cloud destinations\n~/.openclaw/workspace/skills/backup/scripts/upload.sh\n\n# Full restore (same environment / disaster recovery)\n~/.openclaw/workspace/skills/backup/scripts/restore.sh ~/backups/openclaw/openclaw-myhost-20260215-full.tar.gz.gpg\n\n# Workspace-only restore (any environment — just the agent's brain)\n~/.openclaw/workspace/skills/backup/scripts/restore.sh ~/backups/openclaw/openclaw-myhost-20260215-workspace.tar.gz\n```\n\n## Interactive Setup\n\nFor guided setup, read `references/setup-guide.md` and follow the conversational flow with the user. This walks through encryption, backup mode, schedule, and cloud destination configuration.\n\n## Manual Usage\n\n### backup.sh — Create local backups\n\nEvery run produces **two files**:\n\n1. **Full backup** (`*-full.tar.gz.gpg`) — everything including credentials, encrypted. For disaster recovery on the same or similar environment.\n2. **Workspace backup** (`*-workspace.tar.gz.gpg`) — just `~/.openclaw/workspace/` (memory, skills, files), encrypted. Safe to restore on any environment without affecting gateway config. This is the agent's brain.\n\n```bash\n# Default: creates both files\n./scripts/backup.sh\n\n# Skip gateway stop/restart (for testing)\nBACKUP_STOP_GATEWAY=false ./scripts/backup.sh\n```\n\nSaves to `~/backups/openclaw/`.\n\n### upload.sh — Upload to cloud\n\n```bash\n# Upload latest local backup to all configured destinations\n./scripts/upload.sh\n\n# Upload a specific file\n./scripts/upload.sh /path/to/backup.tar.gz.gpg\n```\n\n### restore.sh — Restore from backup\n\n```bash\n# Full restore (disaster recovery — replaces entire ~/.openclaw/)\n./scripts/restore.sh openclaw-myhost-20260215-full.tar.gz.gpg\n\n# Workspace-only restore (just the agent brain — keeps your config/credentials)\n./scripts/restore.sh openclaw-myhost-20260215-workspace.tar.gz\n\n# Extract only workspace from a full backup\n./scripts/restore.sh --workspace-only openclaw-myhost-20260215-full.tar.gz.gpg\n\n# From cloud\n./scripts/restore.sh s3://mybucket/openclaw/openclaw-myhost-20260215-workspace.tar.gz\n```\n\nAutomatically detects workspace backups by filename. Creates a safety copy before extracting.\n\n**Note:** Workspace-only restores don't require a gateway restart — the agent picks up the new files on its next session. Full restores stop and replace the entire `~/.openclaw/` directory, so the gateway needs to be restarted afterward.\n\n### test-backup.sh — Validate setup\n\n```bash\n./scripts/test-backup.sh\n```\n\nCreates a tiny test file, encrypts, uploads to all destinations, verifies, cleans up. Exit 0 = all good.\n\n## Config Reference\n\nConfig lives at `~/.openclaw/workspace/skills/backup/config.json`:\n\n| Field | Type | Default | Description |\n|-------|------|---------|-------------|\n| `encrypt` | bool | `true` | AES-256 GPG symmetric encryption (for full backups) |\n| `retainDays` | number | `30` | Auto-prune local backups older than this |\n| `schedule` | string | `\"daily\"` | `daily`, `weekly`, or `manual` |\n| `destinations` | array | `[]` | Cloud upload targets (see destinations.md) |\n\n## Environment Variables\n\nAll settings can be overridden via env vars:\n\n| Variable | Description |\n|----------|-------------|\n| `BACKUP_ENCRYPT` | `true` or `false` (for full backups) |\n| `BACKUP_RETAIN_DAYS` | Number of days to keep old backups |\n| `BACKUP_PASSPHRASE` | Encryption passphrase (or read from credentials file) |\n| `BACKUP_STOP_GATEWAY` | `true` (default) or `false` |\n| `BACKUP_DIR` | Override backup output directory |\n\n## Credentials\n\nStored in `~/.openclaw/credentials/backup/`:\n\n- `backup-passphrase` — encryption passphrase\n- `aws-credentials` — for S3\n- `r2-credentials` — for Cloudflare R2\n- `b2-credentials` — for Backblaze B2\n- `gcs-key.json` — Google Cloud Storage service account key\n- `rclone.conf` — for Google Drive (rclone config)\n\n## Security Notes\n\n- Backups are encrypted by default with AES-256 (GPG symmetric)\n- **Full-mode backups REQUIRE encryption** — the script will refuse to run without a passphrase when mode=full, since credentials would be stored in plaintext\n- Workspace-only backups are also encrypted — they contain personal data (memory, notes, conversations)\n- The passphrase file at `~/.openclaw/credentials/backup/backup-passphrase` should be readable only by the owner (mode 600)\n- On first use, always walk the user through setting a passphrase (see `references/setup-guide.md`)\n- If no passphrase is set, default to portable mode — never store credentials unencrypted\n- Local backups are auto-pruned after the configured retention period\n- Remote backups are never auto-deleted (see `references/destinations.md` for lifecycle guidance)\n","topics":["Backup"],"tags":{"latest":"1.3.0"},"stats":{"comments":0,"downloads":390,"installsAllTime":14,"installsCurrent":0,"stars":0,"versions":7},"createdAt":1771136931345,"updatedAt":1778990641153},"latestVersion":{"version":"1.3.0","createdAt":1771143436674,"changelog":"Workspace backups now encrypted by default (contain personal data). Both full and workspace files use same passphrase. Added explicit Requirements section to SKILL.md body.","license":null},"metadata":{"setup":[],"os":null,"systems":null},"owner":{"handle":"ryanedick","userId":"s179sww0qgbnfve61gzgaq7z1s88538v","displayName":"ryanedick","image":"https://avatars.githubusercontent.com/u/687368?v=4"},"moderation":null}