|
|
@@ -2453,12 +2453,14 @@ class Archiver:
|
|
|
| Hash/MAC | Not encrypted | Not encrypted, | Encrypted (AEAD w/ AES) |
|
|
|
| | no auth | but authenticated | and authenticated |
|
|
|
+----------+---------------+------------------------+--------------------------+
|
|
|
- | SHA-256 | none | authenticated | repokey, keyfile |
|
|
|
+ | SHA-256 | none | `authenticated` | repokey, keyfile |
|
|
|
+----------+---------------+------------------------+--------------------------+
|
|
|
- | BLAKE2b | n/a | authenticated-blake2 | repokey-blake2, |
|
|
|
- | | | | keyfile-blake2 |
|
|
|
+ | BLAKE2b | n/a | `authenticated-blake2` | `repokey-blake2`, |
|
|
|
+ | | | | `keyfile-blake2` |
|
|
|
+----------+---------------+------------------------+--------------------------+
|
|
|
|
|
|
+ `Marked modes` are new in Borg 1.1 and are not backwards-compatible with Borg 1.0.x.
|
|
|
+
|
|
|
On modern Intel/AMD CPUs (except very cheap ones), AES is usually
|
|
|
hardware-accelerated.
|
|
|
BLAKE2b is faster than SHA256 on Intel/AMD 64-bit CPUs
|
|
|
@@ -2491,7 +2493,8 @@ class Archiver:
|
|
|
|
|
|
`none` mode uses no encryption and no authentication. It uses SHA256 as chunk
|
|
|
ID hash. Not recommended, rather consider using an authenticated or
|
|
|
- authenticated/encrypted mode.
|
|
|
+ authenticated/encrypted mode. This mode has possible denial-of-service issues
|
|
|
+ when running ``borg create`` on contents controlled by an attacker.
|
|
|
Use it only for new repositories where no encryption is wanted **and** when compatibility
|
|
|
with 1.0.x is important. If compatibility with 1.0.x is not important, use
|
|
|
`authenticated-blake2` or `authenticated` instead.
|
Marian Beermann