Home Explore Help
Sign In
mirrors
/
borg
mirror of https://github.com/borgbackup/borg
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

update docs, remove references to passphrase mode

Thomas Waldmann 9 years ago
parent
815d2e23ce
commit
1fc99ec9cd
2 changed files with 11 additions and 9 deletions
Unified View Show Diff Stats
  1. 6 1
      docs/internals.rst
  2. 5 8
      docs/usage.rst

+ 6 - 1
docs/internals.rst
View File 

@@ -344,7 +344,12 @@ To reduce payload size, only 8 bytes of the 16 bytes nonce is saved in the
 
 payload, the first 8 bytes are always zeros. This does not affect security but
 
 payload, the first 8 bytes are always zeros. This does not affect security but
 
 limits the maximum repository capacity to only 295 exabytes (2**64 * 16 bytes).
 
 limits the maximum repository capacity to only 295 exabytes (2**64 * 16 bytes).
 
 
 
-Encryption keys are either derived from a passphrase or kept in a key file.
 
+Encryption keys (and other secrets) are kept either in a key file on the client
 
+('keyfile' mode) or in the repository config on the server ('repokey' mode).
 
+In both cases, the secrets are generated from random and then encrypted by a
 
+key derived from your passphrase (this happens on the client before the key
 
+is stored into the keyfile or as repokey).
 
+
 
 The passphrase is passed through the ``BORG_PASSPHRASE`` environment variable
 
 The passphrase is passed through the ``BORG_PASSPHRASE`` environment variable
 
 or prompted for interactive usage.
 
 or prompted for interactive usage.

+ 5 - 8
docs/usage.rst
View File 

@@ -198,12 +198,7 @@ an attacker has access to your backup repository.
 
 
 
 But be careful with the key / the passphrase:
 
 But be careful with the key / the passphrase:
 
 
 
-``--encryption=passphrase`` is DEPRECATED and will be removed in next major release.
 
-This mode has very fundamental, unfixable problems (like you can never change
 
-your passphrase or the pbkdf2 iteration count for an existing repository, because
 
-the encryption / decryption key is directly derived from the passphrase).
 
-
 
-If you want "passphrase-only" security, just use the ``repokey`` mode. The key will
 
+If you want "passphrase-only" security, use the ``repokey`` mode. The key will
 
 be stored inside the repository (in its "config" file). In above mentioned
 
 be stored inside the repository (in its "config" file). In above mentioned
 
 attack scenario, the attacker will have the key (but not the passphrase).
 
 attack scenario, the attacker will have the key (but not the passphrase).
 
 
 
@@ -220,8 +215,10 @@ The backup that is encrypted with that key won't help you with that, of course.
 
 Make sure you use a good passphrase. Not too short, not too simple. The real
 
 Make sure you use a good passphrase. Not too short, not too simple. The real
 
 encryption / decryption key is encrypted with / locked by your passphrase.
 
 encryption / decryption key is encrypted with / locked by your passphrase.
 
 If an attacker gets your key, he can't unlock and use it without knowing the
 
 If an attacker gets your key, he can't unlock and use it without knowing the
 
-passphrase. In ``repokey`` and ``keyfile`` modes, you can change your passphrase
 
-for existing repos.
 
+passphrase.
 
+
 
+You can change your passphrase for existing repos at any time, it won't affect
 
+the encryption/decryption key or other secrets.
 
 
 
 
 
 .. include:: usage/create.rst.inc
 
 .. include:: usage/create.rst.inc