If you’re running OpenClaw on a Linux server (VPS, Docker or Bare-metal), you already know one thing: rebuilding the container is easy, rebuilding your data isn’t. This guide walks you through setting up automatic, encrypted, versioned backups using Borg. Think Time Machine for your server, minus the hand‑holding. No Docker snapshots, no fragile workarounds. Just backups that are actually there when you need them.
What We’re Backing Up
OpenClaw keeps everything it needs in one place: ~/.openclaw — on most setups this expands to /home/psylla/.openclaw. That directory is your entire OpenClaw state — config, data, all of it.
Note: My username is psylla, yours will be different. With a good backup of ~/.openclaw you can rebuild on the same server, migrate to a new one, or recover from an accidental rm -rf at 2 am. Been there.
Before You Start
You’ll need:
- OpenClaw running
- A storage destination already mounted (NAS, external drive, remote mount — your call)
- Borg Backup installed
If you haven’t set up your storage mount yet, do that first. This guide picks up from there.
Step 1: Store Your Passphrase Securely (One‑Time)
Borg encrypts everything, and we want automation to work without someone sitting at a keyboard typing a password. So we store the passphrase in a locked‑down file.
sudo mkdir -p /root/.borg
sudo chmod 700 /root/.borg
sudo nano /root/.borg/passphraseLock it down: Type your passphrase — one line, no quotes — then save and exit.
sudo chmod 600 /root/.borg/passphraseOnly root can read it. That's the point.
Step 2: Initialize the Backup Repository (One‑Time)
Pick where your backups will live. This example uses:
/mnt/truenas_borg/openclaw_repoInitialize it with encryption:
borg init --encryption=repokey-blake2 /mnt/truenas_borg/openclaw_repoBorg will ask for your passphrase once to set things up. Write it down somewhere safe; without it and the repo, you’ve got nothing.
Step 3: Create the Backup Script
Open the script file:
nano /home/psylla/borg-openclaw-backup.shPaste the following:
#!/bin/bash
set -euo pipefail
REPO="/mnt/truenas_borg/openclaw_repo"
export BORG_PASSCOMMAND="cat /root/.borg/passphrase"
SOURCE="/home/psylla/.openclaw"
EXCLUDE=( '**/node_modules' '**/.cache' '**/tmp' )
EXCLUDE_FLAGS=()
for e in "${EXCLUDE[@]}"; do
EXCLUDE_FLAGS+=(--exclude "$e")
done
borg create --stats --compression lz4 \
"$REPO::openclaw-{now}" \
"$SOURCE" \
"${EXCLUDE_FLAGS[@]}"
borg prune -v --list "$REPO" \
--keep-daily=7 \
--keep-weekly=4 \
--keep-monthly=6Save, exit, and make it executable:
chmod +x /home/psylla/borg-openclaw-backup.shThe retention policy keeps 7 daily, 4 weekly, and 6 monthly backups. Adjust to taste.
Step 4: Run It Once Manually
Before trusting automation, make sure the script actually works:
/home/psylla/borg-openclaw-backup.shYou should see file counts, compression stats, and no password prompt. If it runs cleanly here, the scheduled job will too.
Step 5: Schedule It with systemd
Create the service:
sudo nano /etc/systemd/system/borg-openclaw-backup.service[Unit]
Description=Borg Backup OpenClaw
[Service]
Type=oneshot
ExecStart=/home/psylla/borg-openclaw-backup.shCreate the timer:
sudo nano /etc/systemd/system/borg-openclaw-backup.timer[Unit]
Description=Daily OpenClaw Backup
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.targetEnable it:
sudo systemctl daemon-reload
sudo systemctl enable --now borg-openclaw-backup.timerConfirm it registered:
systemctl list-timers | grep borgDone. Backups run daily without you touching anything.
Restoring
List what you’ve got:
borg list /mnt/truenas_borg/openclaw_repoRestore a specific archive:
borg extract /mnt/truenas_borg/openclaw_repo::openclaw-YYYY-MM-DDTHH:MM:SSThat puts ~/.openclaw back where it belongs. Restart your OpenClaw container or service and you’re running again.
What You End Up With
- Encrypted, versioned backups running on autopilot.
- You can blow away the container whenever you want — the data is safe.
- Move to a new server, recover from corruption, roll back to last week — all of it works the same way.
- No enterprise tooling, no babysitting.
- Just a backup that's actually there when something goes wrong.