| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272 | .\" Man page generated from reStructuredText....nr rst2man-indent-level 0..de1 rstReportMargin\\$1 \\n[an-margin]level \\n[rst2man-indent-level]level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]-\\n[rst2man-indent0]\\n[rst2man-indent1]\\n[rst2man-indent2]...de1 INDENT.\" .rstReportMargin pre:. RS \\$1. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]. nr rst2man-indent-level +1.\" .rstReportMargin post:...de UNINDENT. RE.\" indent \\n[an-margin].\" old: \\n[rst2man-indent\\n[rst2man-indent-level]].nr rst2man-indent-level -1.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]].in \\n[rst2man-indent\\n[rst2man-indent-level]]u...TH "BORG-INIT" 1 "2024-01-01" "" "borg backup tool".SH NAMEborg-init \- Initialize an empty repository.SH SYNOPSIS.spborg [common options] init [options] [REPOSITORY].SH DESCRIPTION.spThis command initializes an empty repository. A repository is a filesystemdirectory containing the deduplicated data from zero or more archives..SS Encryption mode TLDR.spThe encryption mode can only be configured when creating a new repository \-you can neither configure it on a per\-archive basis nor change theencryption mode of an existing repository..spUse \fBrepokey\fP:.INDENT 0.0.INDENT 3.5.sp.nf.ft Cborg init \-\-encryption repokey /path/to/repo.ft P.fi.UNINDENT.UNINDENT.spOr \fBrepokey\-blake2\fP depending on which is faster on your client machines (see below):.INDENT 0.0.INDENT 3.5.sp.nf.ft Cborg init \-\-encryption repokey\-blake2 /path/to/repo.ft P.fi.UNINDENT.UNINDENT.spBorg will:.INDENT 0.0.IP 1. 3Ask you to come up with a passphrase..IP 2. 3Create a borg key (which contains 3 random secrets. See \fIkey_files\fP)..IP 3. 3Encrypt the key with your passphrase..IP 4. 3Store the encrypted borg key inside the repository directory (in the repo config).This is why it is essential to use a secure passphrase..IP 5. 3Encrypt and sign your backups to prevent anyone from reading or forging them unless theyhave the key and know the passphrase. Make sure to keep a backup ofyour key \fBoutside\fP the repository \- do not lock yourself out by\(dqleaving your keys inside your car\(dq (see \fIborg_key_export\fP).For remote backups the encryption is done locally \- the remote machinenever sees your passphrase, your unencrypted key or your unencrypted files.Chunking and id generation are also based on your key to improveyour privacy..IP 6. 3Use the key when extracting files to decrypt them and to verify that the contents ofthe backups have not been accidentally or maliciously altered..UNINDENT.SS Picking a passphrase.spMake sure you use a good passphrase. Not too short, not too simple. The realencryption / decryption key is encrypted with / locked by your passphrase.If an attacker gets your key, he can\(aqt unlock and use it without knowing thepassphrase..spBe careful with special or non\-ascii characters in your passphrase:.INDENT 0.0.IP \(bu 2Borg processes the passphrase as unicode (and encodes it as utf\-8),so it does not have problems dealing with even the strangest characters..IP \(bu 2BUT: that does not necessarily apply to your OS / VM / keyboard configuration..UNINDENT.spSo better use a long passphrase made from simple ascii chars than one thatincludes non\-ascii stuff or characters that are hard/impossible to enter ona different keyboard layout..spYou can change your passphrase for existing repos at any time, it won\(aqt affectthe encryption/decryption key or other secrets..SS More encryption modes.spOnly use \fB\-\-encryption none\fP if you are OK with anyone who has access toyour repository being able to read your backups and tamper with theircontents without you noticing..spIf you want \(dqpassphrase and having\-the\-key\(dq security, use \fB\-\-encryption keyfile\fP\&.The key will be stored in your home directory (in \fB~/.config/borg/keys\fP)..spIf you do \fBnot\fP want to encrypt the contents of your backups, but stillwant to detect malicious tampering use \fB\-\-encryption authenticated\fP\&.To normally work with \fBauthenticated\fP repos, you will need the passphrase, butthere is an emergency workaround, see \fBBORG_WORKAROUNDS=authenticated_no_key\fP docs..spIf \fBBLAKE2b\fP is faster than \fBSHA\-256\fP on your hardware, use \fB\-\-encryption authenticated\-blake2\fP,\fB\-\-encryption repokey\-blake2\fP or \fB\-\-encryption keyfile\-blake2\fP\&. Note: for remote backupsthe hashing is done on your local machine..\" nanorst: inline-fill..TScenter;|l|l|l|l|._T{Hash/MACT}	T{Not encryptedno authT}	T{Not encrypted,but authenticatedT}	T{Encrypted (AEAD w/ AES)and authenticatedT}_T{SHA\-256T}	T{noneT}	T{\fIauthenticated\fPT}	T{repokeykeyfileT}_T{BLAKE2bT}	T{n/aT}	T{\fIauthenticated\-blake2\fPT}	T{\fIrepokey\-blake2\fP\fIkeyfile\-blake2\fPT}_.TE.\" nanorst: inline-replace..spModes \fImarked like this\fP in the above table are new in Borg 1.1 and are notbackwards\-compatible with Borg 1.0.x..spOn modern Intel/AMD CPUs (except very cheap ones), AES is usuallyhardware\-accelerated.BLAKE2b is faster than SHA256 on Intel/AMD 64\-bit CPUs(except AMD Ryzen and future CPUs with SHA extensions),which makes \fIauthenticated\-blake2\fP faster than \fInone\fP and \fIauthenticated\fP\&..spOn modern ARM CPUs, NEON provides hardware acceleration for SHA256 making it fasterthan BLAKE2b\-256 there. NEON accelerates AES as well..spHardware acceleration is always used automatically when available..sp\fIrepokey\fP and \fIkeyfile\fP use AES\-CTR\-256 for encryption and HMAC\-SHA256 forauthentication in an encrypt\-then\-MAC (EtM) construction. The chunk ID hashis HMAC\-SHA256 as well (with a separate key).These modes are compatible with Borg 1.0.x..sp\fIrepokey\-blake2\fP and \fIkeyfile\-blake2\fP are also authenticated encryption modes,but use BLAKE2b\-256 instead of HMAC\-SHA256 for authentication. The chunk IDhash is a keyed BLAKE2b\-256 hash.These modes are new and \fInot\fP compatible with Borg 1.0.x..sp\fIauthenticated\fP mode uses no encryption, but authenticates repository contentsthrough the same HMAC\-SHA256 hash as the \fIrepokey\fP and \fIkeyfile\fP modes (it uses itas the chunk ID hash). The key is stored like \fIrepokey\fP\&.This mode is new and \fInot\fP compatible with Borg 1.0.x..sp\fIauthenticated\-blake2\fP is like \fIauthenticated\fP, but uses the keyed BLAKE2b\-256 hashfrom the other blake2 modes.This mode is new and \fInot\fP compatible with Borg 1.0.x..sp\fInone\fP mode uses no encryption and no authentication. It uses SHA256 as chunkID hash. This mode is not recommended, you should rather consider using an authenticatedor authenticated/encrypted mode. This mode has possible denial\-of\-service issueswhen running \fBborg create\fP on contents controlled by an attacker.Use it only for new repositories where no encryption is wanted \fBand\fP when compatibilitywith 1.0.x is important. If compatibility with 1.0.x is not important, use\fIauthenticated\-blake2\fP or \fIauthenticated\fP instead.This mode is compatible with Borg 1.0.x..SH OPTIONS.spSee \fIborg\-common(1)\fP for common options of Borg commands..SS arguments.INDENT 0.0.TP.B REPOSITORYrepository to create.UNINDENT.SS optional arguments.INDENT 0.0.TP.BI \-e \ MODE\fR,\fB \ \-\-encryption \ MODEselect encryption key mode \fB(required)\fP.TP.B  \-\-append\-onlycreate an append\-only mode repository. Note that this only affects the low level structure of the repository, and running \fIdelete\fP or \fIprune\fP will still be allowed. See \fIappend_only_mode\fP in Additional Notes for more details..TP.BI \-\-storage\-quota \ QUOTASet storage quota of the new repository (e.g. 5G, 1.5T). Default: no quota..TP.B  \-\-make\-parent\-dirscreate the parent directories of the repository directory, if they are missing..UNINDENT.SH EXAMPLES.INDENT 0.0.INDENT 3.5.sp.nf.ft C# Local repository, repokey encryption, BLAKE2b (often faster, since Borg 1.1)$ borg init \-\-encryption=repokey\-blake2 /path/to/repo# Local repository (no encryption)$ borg init \-\-encryption=none /path/to/repo# Remote repository (accesses a remote borg via ssh)# repokey: stores the (encrypted) key into <REPO_DIR>/config$ borg init \-\-encryption=repokey\-blake2 user@hostname:backup# Remote repository (accesses a remote borg via ssh)# keyfile: stores the (encrypted) key into ~/.config/borg/keys/$ borg init \-\-encryption=keyfile user@hostname:backup.ft P.fi.UNINDENT.UNINDENT.SH SEE ALSO.sp\fIborg\-common(1)\fP, \fIborg\-create(1)\fP, \fIborg\-delete(1)\fP, \fIborg\-check(1)\fP, \fIborg\-list(1)\fP, \fIborg\-key\-import(1)\fP, \fIborg\-key\-export(1)\fP, \fIborg\-key\-change\-passphrase(1)\fP.SH AUTHORThe Borg Collective.\" Generated by docutils manpage writer..
 |