| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330 | .\" Man page generated from reStructuredText....nr rst2man-indent-level 0..de1 rstReportMargin\\$1 \\n[an-margin]level \\n[rst2man-indent-level]level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]-\\n[rst2man-indent0]\\n[rst2man-indent1]\\n[rst2man-indent2]...de1 INDENT.\" .rstReportMargin pre:. RS \\$1. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]. nr rst2man-indent-level +1.\" .rstReportMargin post:...de UNINDENT. RE.\" indent \\n[an-margin].\" old: \\n[rst2man-indent\\n[rst2man-indent-level]].nr rst2man-indent-level -1.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]].in \\n[rst2man-indent\\n[rst2man-indent-level]]u...TH "BORG-RCREATE" 1 "2022-06-26" "" "borg backup tool".SH NAMEborg-rcreate \- Create a new, empty repository.SH SYNOPSIS.spborg [common options] rcreate [options].SH DESCRIPTION.spThis command creates a new, empty repository. A repository is a filesystemdirectory containing the deduplicated data from zero or more archives..SS Encryption mode TLDR.spThe encryption mode can only be configured when creating a new repository \- you canneither configure it on a per\-archive basis nor change the mode of an existing repository.This example will likely NOT give optimum performance on your machine (performancetips will come below):.INDENT 0.0.INDENT 3.5.sp.nf.ft Cborg rcreate \-\-encryption repokey\-aes\-ocb.ft P.fi.UNINDENT.UNINDENT.spBorg will:.INDENT 0.0.IP 1. 3Ask you to come up with a passphrase..IP 2. 3Create a borg key (which contains some random secrets. See \fIkey_files\fP)..IP 3. 3Derive a "key encryption key" from your passphrase.IP 4. 3Encrypt and sign the key with the key encryption key.IP 5. 3Store the encrypted borg key inside the repository directory (in the repo config).This is why it is essential to use a secure passphrase..IP 6. 3Encrypt and sign your backups to prevent anyone from reading or forging them unless theyhave the key and know the passphrase. Make sure to keep a backup ofyour key \fBoutside\fP the repository \- do not lock yourself out by"leaving your keys inside your car" (see \fIborg_key_export\fP).For remote backups the encryption is done locally \- the remote machinenever sees your passphrase, your unencrypted key or your unencrypted files.Chunking and id generation are also based on your key to improveyour privacy..IP 7. 3Use the key when extracting files to decrypt them and to verify that the contents ofthe backups have not been accidentally or maliciously altered..UNINDENT.SS Picking a passphrase.spMake sure you use a good passphrase. Not too short, not too simple. The realencryption / decryption key is encrypted with / locked by your passphrase.If an attacker gets your key, he can\(aqt unlock and use it without knowing thepassphrase..spBe careful with special or non\-ascii characters in your passphrase:.INDENT 0.0.IP \(bu 2Borg processes the passphrase as unicode (and encodes it as utf\-8),so it does not have problems dealing with even the strangest characters..IP \(bu 2BUT: that does not necessarily apply to your OS / VM / keyboard configuration..UNINDENT.spSo better use a long passphrase made from simple ascii chars than one thatincludes non\-ascii stuff or characters that are hard/impossible to enter ona different keyboard layout..spYou can change your passphrase for existing repos at any time, it won\(aqt affectthe encryption/decryption key or other secrets..SS Choosing an encryption mode.spDepending on your hardware, hashing and crypto performance may vary widely.The easiest way to find out about what\(aqs fastest is to run \fBborg benchmark cpu\fP\&..sp\fIrepokey\fP modes: if you want ease\-of\-use and "passphrase" security is good enough \-the key will be stored in the repository (in \fBrepo_dir/config\fP)..sp\fIkeyfile\fP modes: if you rather want "passphrase and having\-the\-key" security \-the key will be stored in your home directory (in \fB~/.config/borg/keys\fP)..spThe following table is roughly sorted in order of preference, the better ones arein the upper part of the table, in the lower part is the old and/or unsafe(r) stuff:.\" nanorst: inline-fill..TScenter;|l|l|l|l|l|._T{Mode (K = keyfile or repokey)T}	T{ID\-HashT}	T{EncryptionT}	T{AuthenticationT}	T{V >=T}_T{K\-blake2\-chacha20\-poly1305T}	T{BLAKE2bT}	T{CHACHA20T}	T{POLY1305T}	T{2.0T}_T{K\-chacha20\-poly1305T}	T{HMAC\-SHA\-256T}	T{CHACHA20T}	T{POLY1305T}	T{2.0T}_T{K\-blake2\-aes\-ocbT}	T{BLAKE2bT}	T{AES256\-OCBT}	T{AES256\-OCBT}	T{2.0T}_T{K\-aes\-ocbT}	T{HMAC\-SHA\-256T}	T{AES256\-OCBT}	T{AES256\-OCBT}	T{2.0T}_T{K\-blake2T}	T{BLAKE2bT}	T{AES256\-CTRT}	T{BLAKE2bT}	T{1.1T}_T{KT}	T{HMAC\-SHA\-256T}	T{AES256\-CTRT}	T{HMAC\-SHA256T}	T{anyT}_T{authenticated\-blake2T}	T{BLAKE2bT}	T{noneT}	T{BLAKE2bT}	T{1.1T}_T{authenticatedT}	T{HMAC\-SHA\-256T}	T{noneT}	T{HMAC\-SHA256T}	T{1.1T}_T{noneT}	T{SHA\-256T}	T{noneT}	T{noneT}	T{anyT}_.TE.\" nanorst: inline-replace..sp\fInone\fP mode uses no encryption and no authentication. You\(aqre advised to NOT use this modeas it would expose you to all sorts of issues (DoS, confidentiality, tampering, ...) incase of malicious activity in the repository..spIf you do \fBnot\fP want to encrypt the contents of your backups, but still want to detectmalicious tampering use an \fIauthenticated\fP mode. It\(aqs like \fIrepokey\fP minus encryption..SS Key derivation functions.INDENT 0.0.IP \(bu 2\fB\-\-key\-algorithm argon2\fP is the default and is recommended.The key encryption key is derived from your passphrase via argon2\-id.Argon2 is considered more modern and secure than pbkdf2..UNINDENT.spOur implementation of argon2\-based key algorithm follows the cryptographic best practices:.INDENT 0.0.IP \(bu 2It derives two separate keys from your passphrase: one to encrypt your key and another oneto sign it. \fB\-\-key\-algorithm pbkdf2\fP uses the same key for both..IP \(bu 2It uses encrypt\-then\-mac instead of encrypt\-and\-mac used by \fB\-\-key\-algorithm pbkdf2\fP.UNINDENT.spNeither is inherently linked to the key derivation function, but since we were goingto break backwards compatibility anyway we took the opportunity to fix all 3 issues at once..SH OPTIONS.spSee \fIborg\-common(1)\fP for common options of Borg commands..SS optional arguments.INDENT 0.0.TP.BI \-\-other\-repo \ SRC_REPOSITORYreuse the key material from the other repository.TP.BI \-e \ MODE\fR,\fB \ \-\-encryption \ MODEselect encryption key mode \fB(required)\fP.TP.B  \-\-append\-onlycreate an append\-only mode repository. Note that this only affects the low level structure of the repository, and running \fIdelete\fP or \fIprune\fP will still be allowed. See \fIappend_only_mode\fP in Additional Notes for more details..TP.BI \-\-storage\-quota \ QUOTASet storage quota of the new repository (e.g. 5G, 1.5T). Default: no quota..TP.B  \-\-make\-parent\-dirscreate the parent directories of the repository directory, if they are missing..TP.B  \-\-key\-algorithmthe algorithm we use to derive a key encryption key from your passphrase. Default: argon2.UNINDENT.SH EXAMPLES.INDENT 0.0.INDENT 3.5.sp.nf.ft C# Local repository$ export BORG_REPO=/path/to/repo# recommended repokey AEAD crypto modes$ borg rcreate \-\-encryption=repokey\-aes\-ocb$ borg rcreate \-\-encryption=repokey\-chacha20\-poly1305$ borg rcreate \-\-encryption=repokey\-blake2\-aes\-ocb$ borg rcreate \-\-encryption=repokey\-blake2\-chacha20\-poly1305# no encryption, not recommended$ borg rcreate \-\-encryption=authenticated$ borg rcreate \-\-encryption=none# Remote repository (accesses a remote borg via ssh)$ export BORG_REPO=ssh://user@hostname/~/backup# repokey: stores the (encrypted) key into <REPO_DIR>/config$ borg rcreate \-\-encryption=repokey\-aes\-ocb# keyfile: stores the (encrypted) key into ~/.config/borg/keys/$ borg rcreate \-\-encryption=keyfile\-aes\-ocb.ft P.fi.UNINDENT.UNINDENT.SH SEE ALSO.sp\fIborg\-common(1)\fP, \fIborg\-rdelete(1)\fP, \fIborg\-rlist(1)\fP, \fIborg\-check(1)\fP, \fIborg\-key\-import(1)\fP, \fIborg\-key\-export(1)\fP, \fIborg\-key\-change\-passphrase(1)\fP.SH AUTHORThe Borg Collective.\" Generated by docutils manpage writer..
 |