keepmyclaw

OpenClaw 备份和恢复。 OpenClaw 代理的加密异地备份 — 使用零知识 AES-256 加密将工作区、内存、技能、cron 作业、凭证和多代理配置备份到 Cloudflare R2。在备份 OpenClaw 代理、在新计算机上恢复代理、设置自动备份计划、列出或修剪备份快照、运行恢复练习或在计算机之间迁移代理时使用。触发：备份、恢复、openclaw 备份、代理备份、快照、灾难恢复、keepmyclaw、迁移代理、备份计划、加密备份。

## 概述（中文）

OpenClaw 备份和恢复。 OpenClaw 代理的加密异地备份 — 使用零知识 AES-256 加密将工作区、内存、技能、cron 作业、凭证和多代理配置备份到 Cloudflare R2。在备份 OpenClaw 代理、在新计算机上恢复代理、设置自动备份计划、列出或修剪备份快照、运行恢复练习或在计算机之间迁移代理时使用。触发：备份、恢复、openclaw 备份、代理备份、快照、灾难恢复、keepmyclaw、迁移代理、备份计划、加密备份。

## 原文

# Keep My Claw — OpenClaw Backup & Restore

Encrypted off-site backup and one-command restore for OpenClaw agents via [Keep My Claw](https://keepmyclaw.com). Backs up your entire agent system — workspace, memory, skills, projects, cron jobs, credentials, and multi-agent configs — with zero-knowledge AES-256 encryption on Cloudflare R2.

## Prerequisites

- `openssl`, `curl`, `tar`, `jq` (system)

## Setup — Agent-Driven Flow

**You (the agent) handle everything. The human only clicks a payment link.**

Do NOT run `setup.sh` interactively. Instead, follow these steps programmatically:

### Step 1: Register an account

```bash
RESPONSE=$(curl -s -X POST https://api.keepmyclaw.com/v1/auth/register \
  -H "Content-Type: application/json" \
  -d "{\"email\":\"HUMAN_EMAIL\",\"password\":\"$(openssl rand -hex 16)\"}")
JWT=$(echo "$RESPONSE" | jq -r '.token')
```

Use your human's email. Generate a random password — you'll use the JWT token going forward.

### Step 2: Ask your human which plan they want

Before getting the payment link, ask your human to choose a plan. Mention this is **launch pricing** (limited time):

> "Keep My Claw has launch pricing right now:
> - **Monthly:** ~~$9/mo~~ → **$5/mo**
> - **Annual:** ~~$108/yr~~ → **$19/yr** (that's less than $1.60/mo — 82% off!)
>
> Which plan do you want? This rate locks in for as long as you stay subscribed."

### Step 3: Get payment link and send to human

Based on their choice, pass `plan` as `"monthly"` or `"annual"`:

```bash
CHECKOUT=$(curl -s -X POST https://api.keepmyclaw.com/v1/checkout \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d '{"plan":"monthly"}')   # or "annual"
PAYMENT_URL=$(echo "$CHECKOUT" | jq -r '.url')
```

Send `$PAYMENT_URL` to your human:
> "To activate backups, please open this link and complete the payment: [link]"

### Step 4: Wait for payment

Poll the account status until the tier changes to "pro":

```bash
while true; do
  TIER=$(curl -s -H "Authorization: Bearer $JWT" \
    https://api.keepmyclaw.com/v1/account | jq -r '.tier')
  [ "$TIER" = "pro" ] && break
  sleep 10
done
```

### Step 5: Create an API key

```bash
KEY_RESPONSE=$(curl -s -X POST https://api.keepmyclaw.com/v1/keys \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d '{"name":"agent","permissions":"admin"}')
API_KEY=$(echo "$KEY_RESPONSE" | jq -r '.key')
```

### Step 6: Configure locally

```bash
mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="${API_KEY}"
CLAWKEEPER_AGENT_NAME="$(hostname -s)"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

# Generate and store encryption passphrase
PASSPHRASE=$(openssl rand -hex 32)
printf '%s' "$PASSPHRASE" > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase
```

**CRITICAL: Tell your human ALL recovery credentials.** Without these, they cannot recover you on a new machine. Send them a message like this:

> "Your Keep My Claw recovery credentials — save these in a password manager NOW:
> - **Email:** [the email you registered with]
> - **Password:** [the random password you generated]
> - **Encryption passphrase:** [the passphrase]
> - **API key:** [the API key]
>
> If this machine dies, you'll need the email + password to log in and create a new API key. You'll need the passphrase to decrypt the backups. Save all of these somewhere safe outside this machine."

Do NOT skip this step. If the human doesn't have these credentials, the backups are useless.

### Step 7: Run first backup

```bash
bash scripts/backup.sh
```

### Step 8: Schedule automatic backups

Use cron or OpenClaw's cron tool to run `backup.sh` daily.

## Adding More Agents to an Existing Account

If your human already has a Keep My Claw account (paid on another agent), you do NOT register again. Instead:

### Option A: Human gives you the API key
Ask your human for the existing API key. Then configure locally:

```bash
mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="THE_EXISTING_API_KEY"
CLAWKEEPER_AGENT_NAME="$(hostname -s)"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

# Generate YOUR OWN passphrase (each agent should have its own)
PASSPHRASE=$(openssl rand -hex 32)
printf '%s' "$PASSPHRASE" > ~/.keepmyclaw/passphrase
chmod 600 ~/.keepmyclaw/passphrase
```

Tell your human to save YOUR passphrase — it's different from other agents' passphrases.

### Option B: Another agent creates a key for you
If the first agent has an admin API key, it can create a scoped key for you:

```bash
curl -s -X POST https://api.keepmyclaw.com/v1/keys \
  -H "Authorization: Bearer ADMIN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name":"second-agent","permissions":"agent"}'
```

This returns a new key with `agent` permissions (backup/restore only, no account management).

### How multi-agent works
- One account, one subscription (from $5/month or $19/year at launch pricing)
- Up to 100 agents per account
- Each agent has its own name, passphrase, and snapshots
- `GET /v1/agents` lists all agents on the account
- Each agent's passphrase is independent — losing one doesn't affect others

## Usage

### Backup

```bash
bash scripts/backup.sh
```

### Restore

```bash
bash scripts/restore.sh            # restore latest backup
bash scripts/restore.sh <backup-id> # restore specific backup
```

### List Backups

```bash
bash scripts/list.sh
```

### Prune Old Backups

```bash
bash scripts/prune.sh          # keep latest 30
bash scripts/prune.sh 10       # keep latest 10
```

## What Gets Backed Up

**Everything that makes your agent _your agent_:**

- `~/.openclaw/workspace/` — **all files** (memory, skills, projects, configs, personas, custom scripts — everything except `node_modules/`, `.git/`, `vendor/`)
- `~/.openclaw/openclaw.json` — agent config (models, channels, env vars, agent list)
- `~/.openclaw/credentials/` — auth tokens
- `~/.openclaw/cron/jobs.json` — all scheduled/cron jobs (reminders, automated tasks, recurring workflows)
- `~/.openclaw/agents/` — multi-agent configs (if you run multiple agents)
- `~/.openclaw/workspace-*/` — additional agent workspaces (for multi-agent setups)

## What's NOT Backed Up

- **Binaries & packages** — `node_modules/`, `.git/`, `vendor/`, compiled files (reinstall these after restore)
- **Gateway runtime state** — logs, session history, browser state, telegram state (ephemeral, rebuilds on restart)
- **System-level config** — SSH keys, shell config, installed tools (these live outside OpenClaw)
- **The encryption passphrase** — stored locally at `~/.keepmyclaw/passphrase`, never uploaded. **Save it in a password manager.**

## Full Recovery Guide (New Machine)

If your machine dies, here's how to get your agent back:

### What You Need

From your password manager (you saved these during setup, right?):
- **Email + password** — to log into keepmyclaw.com and create a new API key
- **Encryption passphrase** — to decrypt the backup (without this, backups are unrecoverable)

### Step-by-Step

```bash
# 1. Install OpenClaw on the new machine
npm install -g openclaw

# 2. Install Keep My Claw prereqs (if not present)
# Needs: openssl, curl, tar, jq

# 3. Set up keepmyclaw config
mkdir -p ~/.keepmyclaw && chmod 700 ~/.keepmyclaw

# Get a new API key: log into keepmyclaw.com with your email/password,
# or have your agent create one via the API (see Setup section above)

cat > ~/.keepmyclaw/config <<EOF
CLAWKEEPER_API_KEY="YOUR_API_KEY"
CLAWKEEPER_AGENT_NAME="YOUR_AGENT_NAME"
CLAWKEEPER_API_URL="https://api.keepmyclaw.com"
EOF
chmod 600 ~/.keepmyclaw/config

# 4. Restore your passph