diff --git a/.gitignore b/.gitignore
index 39a5f27..d8b6a6a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 **/config/*
+**/secrets/*
 values.user.yaml
 charts
\ No newline at end of file
diff --git a/engram-backup/cronjob.yaml b/engram-backup/cronjob.yaml
new file mode 100644
index 0000000..d219ed4
--- /dev/null
+++ b/engram-backup/cronjob.yaml
@@ -0,0 +1,68 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+    name: engram-backup
+    labels:
+        app: engram-backup
+spec:
+    schedule: "0 0 * * *"
+    timeZone: "Asia/Shanghai"
+    concurrencyPolicy: Forbid
+    startingDeadlineSeconds: 300
+    successfulJobsHistoryLimit: 1
+    failedJobsHistoryLimit: 3
+    suspend: false
+    jobTemplate:
+      spec:
+        backoffLimit: 2
+        activeDeadlineSeconds: 1800
+        ttlSecondsAfterFinished: 86400
+        template:
+          metadata:
+            labels:
+              app: engram-backup
+          spec:
+            restartPolicy: OnFailure
+            initContainers:
+            - name: backup
+              image: engram
+              env:
+              - name: ENGRAM_DATA_DIR
+                value: /engram-data
+              volumeMounts:
+              - name: tmp
+                mountPath: /tmp
+              - name: engram-data
+                mountPath: /engram-data
+              command:
+              - /bin/sh
+              args:
+              - -c
+              - 'export DATE=$(date +%Y/%m/%d) && mkdir -p /tmp/engram/$DATE && engram export "/tmp/engram/$DATE/engram-data.json" && gzip /tmp/engram/$DATE/engram-data.json'
+              securityContext:
+                runAsUser: 0
+            containers:
+            - name: upload
+              image: aws
+              imagePullPolicy: IfNotPresent
+              envFrom:
+              - secretRef:
+                  name: backup-env
+              - configMapRef:
+                  name: backup-env
+              args:
+              - s3
+              - sync
+              - "./engram"
+              - "s3://senset-backups/engram-backup"
+              volumeMounts:
+              - name: tmp
+                mountPath: /aws
+                readOnly: true
+            volumes:
+            - name: tmp
+              emptyDir: {}
+            - name: engram-data
+              hostPath:
+                path: /data/engram
+                type: Directory
diff --git a/engram-backup/kustomization.yaml b/engram-backup/kustomization.yaml
new file mode 100644
index 0000000..35178f5
--- /dev/null
+++ b/engram-backup/kustomization.yaml
@@ -0,0 +1,23 @@
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
+kind: Kustomization
+namespace: mcp
+resources:
+- cronjob.yaml
+images:
+- name: engram
+  newName: ghcr.io/gentleman-programming/engram
+  newTag: v1.16.1
+- name: aws
+  newName: cr.wetofu.me/amazon/aws-cli
+  newTag: '2.34.57'
+secretGenerator:
+- name: backup-env
+  type: Opaque
+  files:
+  - secrets/AWS_ACCESS_KEY_ID
+  - secrets/AWS_SECRET_ACCESS_KEY
+configMapGenerator:
+- name: backup-env
+  files:
+  - config/AWS_REGION
+  - config/AWS_ENDPOINT_URL_S3
\ No newline at end of file