2026-03-15 09:34:31 -04:00
. \" Man page generated from reStructuredText
. \" by the Docutils 0.22.4 manpage writer.
2017-02-05 08:22:06 -05:00
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\ $1 \\ n[an-margin]
level \\ n[rst2man-indent-level]
level margin: \\ n[rst2man-indent\\ n[rst2man-indent-level]]
-
\\ n[rst2man-indent0]
\\ n[rst2man-indent1]
\\ n[rst2man-indent2]
. .
.de1 INDENT
. \" .rstReportMargin pre:
. RS \\ $1
. nr rst2man-indent\\n[rst2man-indent-level] \\ n[an-margin]
. nr rst2man-indent-level +1
. \" .rstReportMargin post:
. .
.de UNINDENT
. RE
. \" indent \\n[an-margin]
. \" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
. \" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\ n[rst2man-indent\\n[rst2man-indent-level]]u
. .
2026-06-16 08:17:43 -04:00
.TH "borg-repo-create" "1" "2026-06-16" "" "borg backup tool"
2026-03-15 09:34:31 -04:00
.SH Name
2025-12-23 12:00:09 -05:00
borg-repo-create \- Creates a new, empty repository.
2017-02-05 08:22:06 -05:00
.SH SYNOPSIS
.sp
2024-09-08 11:52:10 -04:00
borg [common options] repo\- create [options]
2017-02-05 08:22:06 -05:00
.SH DESCRIPTION
.sp
2024-09-07 16:31:48 -04:00
This command creates a new, empty repository. A repository is a \fB borgstore\fP store
containing the deduplicated data from zero or more archives.
2024-10-31 15:50:06 -04:00
.sp
Repository creation can be quite slow for some kinds of stores (e.g. for \fB sftp:\fP ) \-
this is due to borgstore pre\- creating all directories needed, making usage of the
store faster.
2025-12-23 12:00:09 -05:00
.SS Encryption mode TL;DR
2017-02-05 08:22:06 -05:00
.sp
2022-04-14 15:13:46 -04:00
The encryption mode can only be configured when creating a new repository \- you can
neither configure it on a per\- archive basis nor change the mode of an existing repository.
This example will likely NOT give optimum performance on your machine (performance
tips will come below):
2022-02-19 12:48:13 -05:00
.INDENT 0 .0
.INDENT 3 .5
2020-04-21 16:59:27 -04:00
.sp
2025-04-21 15:07:46 -04:00
.EX
2026-06-16 08:17:43 -04:00
borg repo\- create \- \- encryption aes256\- ocb \- \- key\- location repokey
2025-04-21 15:07:46 -04:00
.EE
2022-02-19 12:48:13 -05:00
.UNINDENT
.UNINDENT
2017-02-05 08:22:06 -05:00
.sp
2022-02-19 12:48:13 -05:00
Borg will:
.INDENT 0 .0
.IP 1 . 3
Ask you to come up with a passphrase.
.IP 2 . 3
2022-04-14 15:13:46 -04:00
Create a borg key (which contains some random secrets. See \fI key_files\fP ).
2022-02-19 12:48:13 -05:00
.IP 3 . 3
2022-09-10 10:03:27 -04:00
Derive a \(dq key encryption key\(dq from your passphrase
2022-02-19 12:48:13 -05:00
.IP 4 . 3
2022-04-14 15:13:46 -04:00
Encrypt and sign the key with the key encryption key
.IP 5 . 3
2022-02-19 12:48:13 -05:00
Store the encrypted borg key inside the repository directory (in the repo config).
This is why it is essential to use a secure passphrase.
2022-04-14 15:13:46 -04:00
.IP 6 . 3
2022-02-19 12:48:13 -05:00
Encrypt and sign your backups to prevent anyone from reading or forging them unless they
have the key and know the passphrase. Make sure to keep a backup of
your key \fB outside\fP the repository \- do not lock yourself out by
2022-09-10 10:03:27 -04:00
\(dq leaving your keys inside your car\(dq (see \fI borg_key_export\fP ).
2022-08-03 16:19:12 -04:00
The encryption is done locally \- if you use a remote repository, the remote machine
2022-02-19 12:48:13 -05:00
never sees your passphrase, your unencrypted key or your unencrypted files.
2025-12-23 12:00:09 -05:00
Chunking and ID generation are also based on your key to improve
2022-02-19 12:48:13 -05:00
your privacy.
2022-04-14 15:13:46 -04:00
.IP 7 . 3
2022-02-19 12:48:13 -05:00
Use the key when extracting files to decrypt them and to verify that the contents of
the backups have not been accidentally or maliciously altered.
.UNINDENT
.SS Picking a passphrase
2017-02-05 08:22:06 -05:00
.sp
Make sure you use a good passphrase. Not too short, not too simple. The real
encryption / decryption key is encrypted with / locked by your passphrase.
2025-12-23 12:00:09 -05:00
If an attacker gets your key, they cannot unlock and use it without knowing the
2017-02-05 08:22:06 -05:00
passphrase.
.sp
2025-12-23 12:00:09 -05:00
Be careful with special or non\- ASCII characters in your passphrase:
2017-02-05 08:22:06 -05:00
.INDENT 0 .0
.IP \(bu 2
2025-12-23 12:00:09 -05:00
Borg processes the passphrase as Unicode (and encodes it as UTF\- 8),
2017-02-05 08:22:06 -05:00
so it does not have problems dealing with even the strangest characters.
.IP \(bu 2
2025-12-23 12:00:09 -05:00
BUT: that does not necessarily apply to your OS/VM/keyboard configuration.
2017-02-05 08:22:06 -05:00
.UNINDENT
.sp
2025-12-23 12:00:09 -05:00
So better use a long passphrase made from simple ASCII characters than one that
includes non\- ASCII stuff or characters that are hard or impossible to enter on
2017-02-05 08:22:06 -05:00
a different keyboard layout.
.sp
2025-12-23 12:00:09 -05:00
You can change your passphrase for existing repositories at any time; it will not affect
2017-02-05 08:22:06 -05:00
the encryption/decryption key or other secrets.
2026-06-16 08:17:43 -04:00
.SS Choosing a crypto suite
2022-02-19 12:48:13 -05:00
.sp
2022-04-14 15:13:46 -04:00
Depending on your hardware, hashing and crypto performance may vary widely.
2025-12-23 12:00:09 -05:00
The easiest way to find out what is fastest is to run \fB borg benchmark cpu\fP \& .
2022-02-19 12:48:13 -05:00
.sp
2026-06-16 08:17:43 -04:00
A crypto suite is selected by three orthogonal options:
.sp
\fB \- \- encryption\fP (\fB required\fP ) selects the cipher / authenticated\- encryption algorithm:
.INDENT 0 .0
.IP \(bu 2
\fB aes256\- ocb\fP : AES256 in OCB mode (encryption + authentication).
.IP \(bu 2
\fB chacha20\- poly1305\fP : ChaCha20 + Poly1305 (encryption + authentication).
.IP \(bu 2
\fB authenticated\fP : no encryption, but still authenticates your data (tamper detection).
.IP \(bu 2
\fB none\fP : no encryption and no authentication (see the warning below).
.UNINDENT
.sp
\fB \- \- id\- hash\fP selects the id hash function (used for chunk ids and authentication):
.INDENT 0 .0
.IP \(bu 2
\fB sha256\fP (default): HMAC\- SHA\- 256 (or plain SHA\- 256 for the \fB none\fP encryption).
.IP \(bu 2
\fB blake3\fP : BLAKE3. Often faster on CPUs without SHA hardware acceleration.
.UNINDENT
.sp
The \fB none\fP encryption has no key, so it only supports the \fB sha256\fP id hash.
.sp
\fB \- \- key\- location\fP selects where the key is stored (orthogonal to the crypto suite):
2026-06-13 14:57:26 -04:00
.INDENT 0 .0
.IP \(bu 2
\fB repokey\fP (default): the key is stored in the repository (under \fB keys/\fP ). Pick this
if you want ease\- of\- use and \(dq passphrase\(dq security is good enough.
.IP \(bu 2
\fB keyfile\fP : the key is stored in your home directory (in \fB ~/.config/borg/keys\fP ). Pick
this if you want \(dq passphrase and having\- the\- key\(dq security.
.UNINDENT
2020-04-21 16:59:27 -04:00
.sp
2026-06-13 14:57:26 -04:00
You can move the key between these locations later with \fB borg key change\- location\fP \& .
2026-06-16 08:17:43 -04:00
This also applies to the \fB authenticated\fP encryption: it does not encrypt your data, but it
still has a key (used for the id hash and authentication), so \fB \- \- key\- location\fP selects
where that key is stored, just like for the encrypted suites.
\fB \- \- key\- location\fP is only ignored for the \fB none\fP encryption, which has no key at all.
2020-04-21 16:59:27 -04:00
.sp
2026-06-16 08:17:43 -04:00
\fI none\fP encryption uses no encryption and no authentication. You are advised NOT to use this
2026-06-13 14:57:26 -04:00
as it would expose you to a Denial\- of\- Service risk (due to how the \fI internals_hashindex\fP
works) and other issues (confidentiality, tampering, ...) in case of malicious activity
in the repository.
2017-06-11 07:35:23 -04:00
.sp
2022-04-14 15:13:46 -04:00
If you do \fB not\fP want to encrypt the contents of your backups, but still want to detect
2026-06-16 08:17:43 -04:00
malicious tampering, use \fB \- \- encryption authenticated\fP \& . It is like an encrypted suite
minus the data encryption.
2025-12-23 12:00:09 -05:00
To normally work with \fB authenticated\fP repositories, you will need the passphrase, but
there is an emergency workaround; see \fB BORG_WORKAROUNDS=authenticated_no_key\fP docs.
2022-08-03 16:19:12 -04:00
.SS Creating a related repository
.sp
2024-09-08 11:52:10 -04:00
You can use \fB borg repo\- create \- \- other\- repo ORIG_REPO ...\fP to create a related repository
2023-09-14 09:52:08 -04:00
that uses the same secret key material as the given other/original repository.
2022-08-03 16:19:12 -04:00
.sp
By default, only the ID key and chunker secret will be the same (these are important
for deduplication) and the AE crypto keys will be newly generated random keys.
.sp
2022-08-07 13:20:34 -04:00
Optionally, if you use \fB \- \- copy\- crypt\- key\fP you can also keep the same crypt_key
2025-12-23 12:00:09 -05:00
(used for authenticated encryption). This might be desired, for example, if you want to have fewer
2022-08-03 16:19:12 -04:00
keys to manage.
.sp
2025-12-23 12:00:09 -05:00
Creating related repositories is useful, for example, if you want to use \fB borg transfer\fP later.
.SS Creating a related repository for data migration from Borg 1 .2 or 1 .4
2024-09-07 16:31:48 -04:00
.sp
2024-09-08 11:52:10 -04:00
You can use \fB borg repo\- create \- \- other\- repo ORIG_REPO \- \- from\- borg1 ...\fP to create a related
2024-09-07 16:31:48 -04:00
repository that uses the same secret key material as the given other/original repository.
.sp
Then use \fB borg transfer \- \- other\- repo ORIG_REPO \- \- from\- borg1 ...\fP to transfer the archives.
2017-02-05 08:22:06 -05:00
.SH OPTIONS
.sp
See \fI borg\- common(1)\fP for common options of Borg commands.
2025-04-21 15:07:46 -04:00
.SS options
2017-02-05 08:22:06 -05:00
.INDENT 0 .0
.TP
2022-06-23 19:19:19 -04:00
.BI \- \- other\-repo \ SRC_REPOSITORY
reuse the key material from the other repository
.TP
2024-09-07 16:31:48 -04:00
.B \- \- from\-borg1
2025-12-23 12:00:09 -05:00
other repository is Borg 1.x
2024-09-07 16:31:48 -04:00
.TP
2026-06-16 08:17:43 -04:00
.BI \- e \ ENCRYPTION\fR,\fB \ \- \- encryption \ ENCRYPTION
select cipher / AE algorithm: \(aq none\(aq , \(aq authenticated\(aq , \(aq aes256\- ocb\(aq or \(aq chacha20\- poly1305\(aq \fB (required)\fP
.TP
.BI \- i \ HASH\fR,\fB \ \- \- id\-hash \ HASH
select the id hash function: \(aq sha256\(aq (default) or \(aq blake3\(aq . The \(aq none\(aq encryption only supports \(aq sha256\(aq .
2026-06-13 14:57:26 -04:00
.TP
.BI \- \- key\-location \ LOCATION
where to store the key: \(aq repokey\(aq (in the repository, default) or \(aq keyfile\(aq (in the local keys directory). Ignored for the \(aq none\(aq mode (which has no key).
2017-02-05 08:22:06 -05:00
.TP
2022-08-07 13:20:34 -04:00
.B \- \- copy\-crypt\-key
2025-12-23 12:00:09 -05:00
copy the crypt_key (used for authenticated encryption) from the key of the other repository (default: new random key).
2017-02-05 08:22:06 -05:00
.UNINDENT
.SH EXAMPLES
.INDENT 0 .0
.INDENT 3 .5
.sp
2025-04-21 15:07:46 -04:00
.EX
2022-06-23 19:19:19 -04:00
# Local repository
$ export BORG_REPO=/path/to/repo
2026-06-13 14:57:26 -04:00
# Recommended AEAD cryptographic modes (key stored in the repository by default)
$ borg repo\- create \- \- encryption=aes\- ocb
$ borg repo\- create \- \- encryption=chacha20\- poly1305
$ borg repo\- create \- \- encryption=blake3\- aes\- ocb
$ borg repo\- create \- \- encryption=blake3\- chacha20\- poly1305
2025-12-23 12:00:09 -05:00
# No encryption (not recommended)
2024-09-08 11:52:10 -04:00
$ borg repo\- create \- \- encryption=authenticated
2026-06-13 14:57:26 -04:00
$ borg repo\- create \- \- encryption=authenticated\- blake3
2024-09-08 11:52:10 -04:00
$ borg repo\- create \- \- encryption=none
2017-02-05 08:22:06 -05:00
2026-06-13 14:57:26 -04:00
# The crypto suite (\- \- encryption) and where the key is stored (\- \- key\- location) are
# chosen independently. \- \- key\- location defaults to repokey.
# repokey: stores the encrypted key inside the repository
$ borg repo\- create \- \- encryption=aes\- ocb \- \- key\- location=repokey
2026-03-15 09:34:31 -04:00
# keyfile: stores the encrypted key in the config dir\(aq s keys/ subdir
# (e.g. ~/.config/borg/keys/ on Linux, ~/Library/Application Support/borg/keys/ on macOS)
2026-06-13 14:57:26 -04:00
$ borg repo\- create \- \- encryption=aes\- ocb \- \- key\- location=keyfile
2025-04-21 15:07:46 -04:00
.EE
2017-02-05 08:22:06 -05:00
.UNINDENT
.UNINDENT
.SH SEE ALSO
.sp
2024-09-08 11:52:10 -04:00
\fI borg\- common(1)\fP , \fI borg\- repo\- delete(1)\fP , \fI borg\- repo\- list(1)\fP , \fI borg\- check(1)\fP , \fI borg\- benchmark\- cpu(1)\fP , \fI borg\- key\- import(1)\fP , \fI borg\- key\- export(1)\fP , \fI borg\- key\- change\- passphrase(1)\fP
2026-03-15 09:34:31 -04:00
.SH Author
2017-02-05 08:22:06 -05:00
The Borg Collective
2026-03-15 09:34:31 -04:00
. \" End of generated man page.