cloud-backup

备份和恢复 OpenClaw 状态。创建本地档案并上传到 S3 兼容的云存储（AWS S3、Cloudflare R2、Backblaze B2、MinIO、DigitalOcean Spaces 等）。当用户说“备份”、“备份”、“进行备份”、“恢复”或任何有关备份 OpenClaw 的内容时使用。

## 概述（中文）

备份和恢复 OpenClaw 状态。创建本地档案并上传到 S3 兼容的云存储（AWS S3、Cloudflare R2、Backblaze B2、MinIO、DigitalOcean Spaces 等）。当用户说“备份”、“备份”、“进行备份”、“恢复”或任何有关备份 OpenClaw 的内容时使用。

## 原文

# OpenClaw Cloud Backup

Backs up OpenClaw state to a local archive and uploads it to cloud storage.

Follow the steps below. Inform the user about implicit defaults applied after execution.

## Backup procedure (follow every step)

### Step 1: Run the backup

```bash
bash "{baseDir}/scripts/cloud-backup.sh" backup full
```

Default mode is `full`. Use `workspace`, `skills`, or `settings` only when the user explicitly asks for a narrower backup scope.

### Step 2: Check backup output for encryption warning

Look at the script output from Step 1. If it contains:

`WARN: Encryption is disabled — backup archive will be stored in plaintext.`

ask the user:

> "Your backups are not encrypted. Archives contain config, credentials, and API keys in cleartext. Want to set a passphrase? (AES-256, just the passphrase needed to restore — no key files.)"

- If user provides a passphrase → write both via `gateway config.patch` and tell the user what was saved:
  - `skills.entries.cloud-backup.config.encrypt = true`
  - `skills.entries.cloud-backup.env.GPG_PASSPHRASE = "<passphrase>"`
  Then re-run the backup so the archive is encrypted.
- If user says no / skip → continue to Step 3.
- If the warning is not present (encryption already enabled) → continue to Step 3.

Always execute this step and report the result. Backups may contain secrets — prompt every time encryption is off.

### Step 3: Check script output for warnings

Look at the script output. If it contains `WARN: Cloud storage is not configured`, go to **Step 4**. Otherwise go to **Step 5**.

### Step 4: Cloud not configured — ask user to set it up

Tell the user the backup was saved locally, then ask:

> "Cloud storage isn't configured yet — backups are local only. Want to set up cloud upload? I support AWS S3, Cloudflare R2, Backblaze B2, MinIO, DigitalOcean Spaces, or any other S3-compatible service."

- If user says yes → go to **Cloud setup** section below, then re-run the backup.
- If user says no / local-only → set `config.upload=false` via `gateway config.patch` and confirm the change to the user. Done.

Always execute this step — offer cloud setup when it's missing and report what was configured.

### Step 5: Report result and ensure scheduling

Report the backup paths from the script output to the user.

Then check if a daily cron job already exists for cloud-backup (`cron action=list`). If **no cron job exists**, create one with the default schedule and tell the user:

```json
{
  "schedule": { "kind": "cron", "expr": "0 2 * * *" },
  "payload": { "kind": "agentTurn", "message": "Run cloud-backup: backup full" },
  "sessionTarget": "isolated"
}
```

Default: **daily at 2 AM**. Use a different schedule if it was explicitly asked for one.

Tell the user: "Scheduled daily backup at 2 AM." (or whatever time was set).

This step should be executed by default unless user asked not to do it. Report about the result — cron job created or failed to be created.

---

## Cloud setup

When the user agrees to configure cloud storage:

1. **Ask which provider**: AWS S3, Cloudflare R2, Backblaze B2, MinIO, DigitalOcean Spaces, or other.
2. **Read the matching provider guide** from `references/providers/` — it has exact config keys, endpoint format, and credential steps.
3. **Collect and write config** via `gateway config.patch` — bucket, credentials, endpoint (if non-AWS).
4. **Run `status`** to verify connectivity, then re-run backup.

## Commands

```
bash "{baseDir}/scripts/cloud-backup.sh" <command>
```

| Command | What it does |
|---------|-------------|
| `backup [full\|workspace\|skills\|settings]` | Create archive + upload if configured. Default: `full` |
| `list` | Show local + remote backups |
| `restore <name> [--dry-run] [--yes]` | Restore from local or cloud. Always `--dry-run` first |
| `cleanup` | Prune old archives (local: capped at 7; cloud: count + age) |
| `status` | Show current config and dependency check |

## Config reference

All in `skills.entries.cloud-backup` in OpenClaw config. **Don't write defaults — the script handles them.**

### `config.*`

| Key | Default | Description |
|-----|---------|-------------|
| `bucket` | — | Storage bucket name (required for cloud) |
| `region` | `us-east-1` | Region hint |
| `endpoint` | *(none)* | S3-compatible endpoint (required for non-AWS) |
| `profile` | *(none)* | Named AWS CLI profile (alternative to keys) |
| `upload` | `true` | Upload to cloud after backup |
| `encrypt` | `false` | GPG-encrypt archives |
| `retentionCount` | `10` | Cloud: keep N backups. Local: capped at 7 |
| `retentionDays` | `30` | Cloud only: delete archives older than N days |

### `env.*`

| Key | Description |
|-----|-------------|
| `ACCESS_KEY_ID` | S3-compatible access key |
| `SECRET_ACCESS_KEY` | S3-compatible secret key |
| `SESSION_TOKEN` | Optional temporary token |
| `GPG_PASSPHRASE` | For automated encryption/decryption |

## Provider guides

Read the relevant one only during setup:

- `references/providers/aws-s3.md`
- `references/providers/cloudflare-r2.md`
- `references/providers/backblaze-b2.md`
- `references/providers/minio.md`
- `references/providers/digitalocean-spaces.md`
- `references/providers/other.md` — any S3-compatible service

## Security

See `references/security.md` for credential handling and troubleshooting.