Archive Format

Local backups are standard gzip-compressed tar archives (.tar.gz). You can inspect and extract them with standard tools — no vendor lock-in.

Inspecting Backups

# List contents
tar tzf ~/.clawon/backups/backup-2026-03-05T1030.tar.gz

# Extract manually
tar xzf ~/.clawon/backups/backup-2026-03-05T1030.tar.gz -C /tmp/inspect

# View metadata
tar xzf backup.tar.gz _clawon_meta.json -O | cat

Archive Contents

Each archive contains:

• _clawon_meta.json — metadata (version, date, tag, file count)
• Your workspace files in their original directory structure

Encrypted Archives (.tar.gz.enc)

When you use --encrypt, the .tar.gz archive is encrypted with AES-256-GCM and saved as .tar.gz.enc. The plaintext archive is deleted after encryption.

Binary format:

[4 bytes "CLWN"] [1 byte version=1] [16 bytes salt] [12 bytes IV] [...ciphertext...] [16 bytes authTag]

• Magic header: CLWN (4 bytes) identifies the file as a Clawon encrypted archive
• Version: 1 (1 byte) for future format changes
• Salt: 16-byte random salt used for PBKDF2 key derivation
• IV: 12-byte random initialization vector for AES-256-GCM
• Ciphertext: the encrypted .tar.gz contents
• Auth tag: 16-byte GCM authentication tag (integrity check)

Key derivation uses PBKDF2 with 100,000 iterations, SHA-512, and the embedded salt to produce a 256-bit key. Encrypted archives cannot be inspected without the correct passphrase.

# Create an encrypted backup
npx clawon local backup --encrypt

# Restore (will prompt for passphrase)
npx clawon local restore

Cloud Encrypted Backups

Cloud backups with --encrypt encrypt each file individually before uploading. The encryption metadata (salt, per-file IVs) is stored in the cloud manifest. The server never sees plaintext file contents.

Data Storage

Having trouble? Check the Troubleshooting guide.