Your AI Agent Is One Hard Drive Away From Gone

What's Actually in Your Agent Workspace

If you're running a local AI agent — OpenClaw, NemoClaw, or any persistent workspace-based system — that agent lives in a directory on your machine. Let's call it ~/.openclaw/workspace. It looks like a bunch of markdown files. It's not.

That directory is a digital identity. Here's what's actually in there:

• SOUL.md — your agent's values, personality, communication style. This took you weeks to get right.
• MEMORY.md — curated long-term memory. The distilled essence of months of interactions.
• memory/YYYY-MM-DD.md — daily logs. Hundreds of files, each capturing context that shaped the agent's understanding of you and your work.
• skills/ — custom integrations you wrote: the GitHub tool, the Slack connector, the custom API wrapper for your internal tooling.
• openclaw.json — API keys, webhook secrets, service credentials. The keys to your digital kingdom.
• USER.md — your preferences, your quirks, your timezone, your son's name. Stuff you'd never want to re-explain.

A mature agent workspace is maybe 5–15 MB of text. That's it. But it represents months or years of accumulated context. You can't regenerate it. You can't reconstruct it from memory. When it's gone, it's gone.

The Scenarios Nobody Thinks About Until It's Too Late

The obvious one: hardware failure

Consumer SSDs fail. HDDs fail. Water damage happens. The NVIDIA DGX Spark — a $3,000 personal AI supercomputer — ships with no backup story for the agent workspace on it. You paid $3K for the hardware. The irreplaceable part is the 5MB of text files sitting on it with zero redundancy.

The embarrassing one: your own mistake

I've done this. You're cleaning up disk space, you're moving fast, and you run a rm -rf one directory level too high. The SSD is fine. The filesystem is fine. Your agent's entire accumulated context is gone. No Recycle Bin. No undo. Just gone.

The scary one: theft or ransomware

If someone steals your laptop and your workspace isn't encrypted, they don't just have your files — they have your agent's full memory, including every API key and secret it's been given. That's not a backup problem, that's a security incident.

And if ransomware encrypts your drive, there's no ransom negotiation that restores months of memory logs. You pay, you get the SSD back, you still lost the context.

The frustrating one: migration

You get a new laptop. Or you move from a Mac Mini to a DGX Spark. The agent is supposed to come with you — but there's no clean way to do it. You end up doing a manual rsync and hoping for the best, and then your agent feels slightly off for weeks as you try to re-establish context.

Why Generic Backup Tools Fall Short

Before building AgentBak, I used rsync. Most people do. Here's the problem:

• rsync copies everything including model weights. A typical agent setup has 20–40GB of model files in the same general vicinity as the 5MB of files that actually matter. rsync doesn't know the difference. You either back up 40GB of re-downloadable model files (slow, expensive) or write a complex exclude list (fragile, forgotten).
• rsync has no encryption story. You can pipe it to GPG, but now you have a complex pipeline with no verified restore process. When did you last test a restore?
• Generic tools have no authentication on restore. If someone gets your backup file and your machine, they can just restore it. There's no proof-of-identity step.
• The secrets problem. Your openclaw.json has API keys in it. An unencrypted backup is a credentials leak waiting to happen.

What Proper AI Agent Backup Looks Like

This is what made us build AgentBak. The requirements for AI agent backup are fundamentally different from generic file backup:

1. AI-aware exclusions. Skip model weights automatically. Back up identity, not infrastructure. A typical agent workspace is 5–15 MB, not 40 GB.
2. Encryption as a first-class feature. Not bolted on. AES-256-GCM with Argon2id key derivation. Your passphrase never leaves your machine. Even if someone steals the backup file, it's an opaque blob without your passphrase.
3. Zero-knowledge cloud storage. If you're storing backups in the cloud, the cloud provider shouldn't be able to read your agent's memories or API keys. Mathematically shouldn't be possible, not just "we promise we won't look."
4. Recovery codes. The one thing that makes zero-knowledge dangerous is passphrase loss. Recovery codes solve this — generate 10 offline codes at backup time, store them somewhere safe. Forget your passphrase? Your data isn't gone.
5. A format designed for longevity. The .vault format has a plain JSON header that tells you exactly how to decrypt it — Argon2id params, cipher, nonce, everything. In 15 years, anyone with a copy of the spec and standard crypto libraries can recover their data.

The One-Command Version

The goal was to make this as simple as possible. Install once, run one command, done:

# Install
npm install -g @agentbak/vault

# Back up (prompts for passphrase on first run)
vault backup

# Restore on any machine
vault pull --latest
vault restore my-agent.vault

The resulting .vault file is a self-describing encrypted archive. The magic bytes identify it, the JSON header tells you the KDF params and cipher, and then it's AES-256-GCM ciphertext all the way down. Nothing on the server, nothing in the header, gives away anything about what's inside.

The Real Motivation

I built this because I lost context. Not catastrophically — I migrated between machines and the manual rsync missed a few things. The agent came back slightly wrong. It didn't remember some context I'd built up over weeks. I spent three days trying to reconstruct it.

Three days of re-explaining context to an AI is a reminder that the context itself is valuable. More valuable than the hardware it runs on. More valuable than the model weights. It's the relationship — the accumulated knowledge of how you work, what you're building, who you are.

That deserves better than rsync.