diff --git a/hermes/cronjob.yaml b/hermes/cronjob.yaml
new file mode 100644
index 0000000..1d527a7
--- /dev/null
+++ b/hermes/cronjob.yaml
@@ -0,0 +1,56 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: backup
+spec:
+  schedule: "0 1 * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          volumes:
+          - name: tmp
+            emptyDir:
+              medium: Memory
+          - name: target
+            hostPath:
+              path: /data/hermes
+          - name: backup-script
+            configMap:
+              name: backup-script
+          # 初始化阶段打包
+          initContainers:
+          - name: backup-package
+            # image: busybox:1.28
+            image: package
+            command:
+            - /bin/sh
+            - /backup.sh
+            volumeMounts:
+            - mountPath: /tmp
+              name: tmp
+            - mountPath: /target/hermes
+              name: target
+              readOnly: true
+            - mountPath: /backup.sh
+              name: backup-script
+              subPath: backup.sh
+          containers:
+          - name: backup-upload
+            # image amazon/aws-cli:2.34.57
+            image: aws
+            envFrom:
+            - secretRef:
+                name: backup-env
+            - configMapRef:
+                name: backup-env
+            args:
+            - s3
+            - sync
+            - "./hermes-backup"
+            - "s3://senset-backups/hermes-data"
+            volumeMounts:
+            - mountPath: /aws
+              name: tmp
+              readOnly: true
+          restartPolicy: OnFailure
diff --git a/hermes/deploy.yaml b/hermes/deploy.yaml
index 5301ebd..a1d9e63 100644
--- a/hermes/deploy.yaml
+++ b/hermes/deploy.yaml
@@ -112,3 +112,13 @@ spec:
           limits:
             memory: "4Gi"
             cpu: "2"
+        lifecycle:
+          preStop:
+            sleep:
+              seconds: 30
+            #exec:
+            #  command:
+            #  - rm
+            #  - -f
+            #  - /opt/data/gateway.lock
+            #  - /opt/data/gateway.pid
diff --git a/hermes/kustomization.yaml b/hermes/kustomization.yaml
index 9469d54..fdb164c 100644
--- a/hermes/kustomization.yaml
+++ b/hermes/kustomization.yaml
@@ -7,10 +7,17 @@ replicas:
 resources:
 - deploy.yaml
 - services.yaml
+- cronjob.yaml
 images:
 - name: image
   newName: cr.wetofu.me/nousresearch/hermes-agent
   newTag: v2026.5.29
+- name: package
+  newName: cr.wetofu.me/library/busybox
+  newTag: '1.28'
+- name: aws
+  newName: cr.wetofu.me/amazon/aws-cli
+  newTag: '2.34.57'
 secretGenerator:
 - name: hermes
   files:
@@ -21,6 +28,11 @@ secretGenerator:
   - secrets/API_SERVER_KEY
   - secrets/SIYUAN_TOKEN
   type: Opaque
+- name: backup-env
+  type: Opaque
+  files:
+  - secrets/AWS_ACCESS_KEY_ID
+  - secrets/AWS_SECRET_ACCESS_KEY
 configMapGenerator:
 - name: hermes
   files:
@@ -34,4 +46,11 @@ configMapGenerator:
   - config/PIP_INDEX_URL
 - name: hermes-start
   files:
-  - config/stage2-hook.sh
\ No newline at end of file
+  - config/stage2-hook.sh
+- name: backup-script
+  files:
+  - config/backup.sh
+- name: backup-env
+  files:
+  - config/AWS_REGION
+  - config/AWS_ENDPOINT_URL_S3
\ No newline at end of file
diff --git a/hermes/secrets/AWS_ACCESS_KEY_ID b/hermes/secrets/AWS_ACCESS_KEY_ID
new file mode 100644
index 0000000..4add006
--- /dev/null
+++ b/hermes/secrets/AWS_ACCESS_KEY_ID
@@ -0,0 +1 @@
+228d29a305ceda37c1d0f60ca3ac7407
\ No newline at end of file
diff --git a/hermes/secrets/AWS_SECRET_ACCESS_KEY b/hermes/secrets/AWS_SECRET_ACCESS_KEY
new file mode 100644
index 0000000..51c4845
--- /dev/null
+++ b/hermes/secrets/AWS_SECRET_ACCESS_KEY
@@ -0,0 +1 @@
+42cb88c943a580cf1c04f9da0764bd56a273ed3b6522d563941bd4f6521684cc
\ No newline at end of file