borgbackup/docs/man/borg-repo-create.1

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

239 lines
9.7 KiB
Groff
Raw Normal View History

2026-03-15 09:34:31 -04:00
.\" Man page generated from reStructuredText
.\" by the Docutils 0.22.4 manpage writer.
2017-02-05 08:22:06 -05:00
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
2026-06-16 08:17:43 -04:00
.TH "borg-repo-create" "1" "2026-06-16" "" "borg backup tool"
2026-03-15 09:34:31 -04:00
.SH Name
2025-12-23 12:00:09 -05:00
borg-repo-create \- Creates a new, empty repository.
2017-02-05 08:22:06 -05:00
.SH SYNOPSIS
.sp
2024-09-08 11:52:10 -04:00
borg [common options] repo\-create [options]
2017-02-05 08:22:06 -05:00
.SH DESCRIPTION
.sp
2024-09-07 16:31:48 -04:00
This command creates a new, empty repository. A repository is a \fBborgstore\fP store
containing the deduplicated data from zero or more archives.
2024-10-31 15:50:06 -04:00
.sp
Repository creation can be quite slow for some kinds of stores (e.g. for \fBsftp:\fP) \-
this is due to borgstore pre\-creating all directories needed, making usage of the
store faster.
2025-12-23 12:00:09 -05:00
.SS Encryption mode TL;DR
2017-02-05 08:22:06 -05:00
.sp
2022-04-14 15:13:46 -04:00
The encryption mode can only be configured when creating a new repository \- you can
neither configure it on a per\-archive basis nor change the mode of an existing repository.
This example will likely NOT give optimum performance on your machine (performance
tips will come below):
2022-02-19 12:48:13 -05:00
.INDENT 0.0
.INDENT 3.5
2020-04-21 16:59:27 -04:00
.sp
2025-04-21 15:07:46 -04:00
.EX
2026-06-16 08:17:43 -04:00
borg repo\-create \-\-encryption aes256\-ocb \-\-key\-location repokey
2025-04-21 15:07:46 -04:00
.EE
2022-02-19 12:48:13 -05:00
.UNINDENT
.UNINDENT
2017-02-05 08:22:06 -05:00
.sp
2022-02-19 12:48:13 -05:00
Borg will:
.INDENT 0.0
.IP 1. 3
Ask you to come up with a passphrase.
.IP 2. 3
2022-04-14 15:13:46 -04:00
Create a borg key (which contains some random secrets. See \fIkey_files\fP).
2022-02-19 12:48:13 -05:00
.IP 3. 3
2022-09-10 10:03:27 -04:00
Derive a \(dqkey encryption key\(dq from your passphrase
2022-02-19 12:48:13 -05:00
.IP 4. 3
2022-04-14 15:13:46 -04:00
Encrypt and sign the key with the key encryption key
.IP 5. 3
2022-02-19 12:48:13 -05:00
Store the encrypted borg key inside the repository directory (in the repo config).
This is why it is essential to use a secure passphrase.
2022-04-14 15:13:46 -04:00
.IP 6. 3
2022-02-19 12:48:13 -05:00
Encrypt and sign your backups to prevent anyone from reading or forging them unless they
have the key and know the passphrase. Make sure to keep a backup of
your key \fBoutside\fP the repository \- do not lock yourself out by
2022-09-10 10:03:27 -04:00
\(dqleaving your keys inside your car\(dq (see \fIborg_key_export\fP).
2022-08-03 16:19:12 -04:00
The encryption is done locally \- if you use a remote repository, the remote machine
2022-02-19 12:48:13 -05:00
never sees your passphrase, your unencrypted key or your unencrypted files.
2025-12-23 12:00:09 -05:00
Chunking and ID generation are also based on your key to improve
2022-02-19 12:48:13 -05:00
your privacy.
2022-04-14 15:13:46 -04:00
.IP 7. 3
2022-02-19 12:48:13 -05:00
Use the key when extracting files to decrypt them and to verify that the contents of
the backups have not been accidentally or maliciously altered.
.UNINDENT
.SS Picking a passphrase
2017-02-05 08:22:06 -05:00
.sp
Make sure you use a good passphrase. Not too short, not too simple. The real
encryption / decryption key is encrypted with / locked by your passphrase.
2025-12-23 12:00:09 -05:00
If an attacker gets your key, they cannot unlock and use it without knowing the
2017-02-05 08:22:06 -05:00
passphrase.
.sp
2025-12-23 12:00:09 -05:00
Be careful with special or non\-ASCII characters in your passphrase:
2017-02-05 08:22:06 -05:00
.INDENT 0.0
.IP \(bu 2
2025-12-23 12:00:09 -05:00
Borg processes the passphrase as Unicode (and encodes it as UTF\-8),
2017-02-05 08:22:06 -05:00
so it does not have problems dealing with even the strangest characters.
.IP \(bu 2
2025-12-23 12:00:09 -05:00
BUT: that does not necessarily apply to your OS/VM/keyboard configuration.
2017-02-05 08:22:06 -05:00
.UNINDENT
.sp
2025-12-23 12:00:09 -05:00
So better use a long passphrase made from simple ASCII characters than one that
includes non\-ASCII stuff or characters that are hard or impossible to enter on
2017-02-05 08:22:06 -05:00
a different keyboard layout.
.sp
2025-12-23 12:00:09 -05:00
You can change your passphrase for existing repositories at any time; it will not affect
2017-02-05 08:22:06 -05:00
the encryption/decryption key or other secrets.
2026-06-16 08:17:43 -04:00
.SS Choosing a crypto suite
2022-02-19 12:48:13 -05:00
.sp
2022-04-14 15:13:46 -04:00
Depending on your hardware, hashing and crypto performance may vary widely.
2025-12-23 12:00:09 -05:00
The easiest way to find out what is fastest is to run \fBborg benchmark cpu\fP\&.
2022-02-19 12:48:13 -05:00
.sp
2026-06-16 08:17:43 -04:00
A crypto suite is selected by three orthogonal options:
.sp
\fB\-\-encryption\fP (\fBrequired\fP) selects the cipher / authenticated\-encryption algorithm:
.INDENT 0.0
.IP \(bu 2
\fBaes256\-ocb\fP: AES256 in OCB mode (encryption + authentication).
.IP \(bu 2
\fBchacha20\-poly1305\fP: ChaCha20 + Poly1305 (encryption + authentication).
.IP \(bu 2
\fBauthenticated\fP: no encryption, but still authenticates your data (tamper detection).
.IP \(bu 2
\fBnone\fP: no encryption and no authentication (see the warning below).
.UNINDENT
.sp
\fB\-\-id\-hash\fP selects the id hash function (used for chunk ids and authentication):
.INDENT 0.0
.IP \(bu 2
\fBsha256\fP (default): HMAC\-SHA\-256 (or plain SHA\-256 for the \fBnone\fP encryption).
.IP \(bu 2
\fBblake3\fP: BLAKE3. Often faster on CPUs without SHA hardware acceleration.
.UNINDENT
.sp
The \fBnone\fP encryption has no key, so it only supports the \fBsha256\fP id hash.
.sp
\fB\-\-key\-location\fP selects where the key is stored (orthogonal to the crypto suite):
.INDENT 0.0
.IP \(bu 2
\fBrepokey\fP (default): the key is stored in the repository (under \fBkeys/\fP). Pick this
if you want ease\-of\-use and \(dqpassphrase\(dq security is good enough.
.IP \(bu 2
\fBkeyfile\fP: the key is stored in your home directory (in \fB~/.config/borg/keys\fP). Pick
this if you want \(dqpassphrase and having\-the\-key\(dq security.
.UNINDENT
2020-04-21 16:59:27 -04:00
.sp
You can move the key between these locations later with \fBborg key change\-location\fP\&.
2026-06-16 08:17:43 -04:00
This also applies to the \fBauthenticated\fP encryption: it does not encrypt your data, but it
still has a key (used for the id hash and authentication), so \fB\-\-key\-location\fP selects
where that key is stored, just like for the encrypted suites.
\fB\-\-key\-location\fP is only ignored for the \fBnone\fP encryption, which has no key at all.
2020-04-21 16:59:27 -04:00
.sp
2026-06-16 08:17:43 -04:00
\fInone\fP encryption uses no encryption and no authentication. You are advised NOT to use this
as it would expose you to a Denial\-of\-Service risk (due to how the \fIinternals_hashindex\fP
works) and other issues (confidentiality, tampering, ...) in case of malicious activity
in the repository.
.sp
2022-04-14 15:13:46 -04:00
If you do \fBnot\fP want to encrypt the contents of your backups, but still want to detect
2026-06-16 08:17:43 -04:00
malicious tampering, use \fB\-\-encryption authenticated\fP\&. It is like an encrypted suite
minus the data encryption.
2025-12-23 12:00:09 -05:00
To normally work with \fBauthenticated\fP repositories, you will need the passphrase, but
there is an emergency workaround; see \fBBORG_WORKAROUNDS=authenticated_no_key\fP docs.
2022-08-03 16:19:12 -04:00
.SS Creating a related repository
.sp
2024-09-08 11:52:10 -04:00
You can use \fBborg repo\-create \-\-other\-repo ORIG_REPO ...\fP to create a related repository
2023-09-14 09:52:08 -04:00
that uses the same secret key material as the given other/original repository.
2022-08-03 16:19:12 -04:00
.sp
By default, only the ID key and chunker secret will be the same (these are important
for deduplication) and the AE crypto keys will be newly generated random keys.
.sp
2022-08-07 13:20:34 -04:00
Optionally, if you use \fB\-\-copy\-crypt\-key\fP you can also keep the same crypt_key
2025-12-23 12:00:09 -05:00
(used for authenticated encryption). This might be desired, for example, if you want to have fewer
2022-08-03 16:19:12 -04:00
keys to manage.
.sp
2025-12-23 12:00:09 -05:00
Creating related repositories is useful, for example, if you want to use \fBborg transfer\fP later.
.SS Creating a related repository for data migration from Borg 1.2 or 1.4
2024-09-07 16:31:48 -04:00
.sp
2024-09-08 11:52:10 -04:00
You can use \fBborg repo\-create \-\-other\-repo ORIG_REPO \-\-from\-borg1 ...\fP to create a related
2024-09-07 16:31:48 -04:00
repository that uses the same secret key material as the given other/original repository.
.sp
Then use \fBborg transfer \-\-other\-repo ORIG_REPO \-\-from\-borg1 ...\fP to transfer the archives.
2017-02-05 08:22:06 -05:00
.SH OPTIONS
.sp
See \fIborg\-common(1)\fP for common options of Borg commands.
2025-04-21 15:07:46 -04:00
.SS options
2017-02-05 08:22:06 -05:00
.INDENT 0.0
.TP
2022-06-23 19:19:19 -04:00
.BI \-\-other\-repo \ SRC_REPOSITORY
reuse the key material from the other repository
.TP
2024-09-07 16:31:48 -04:00
.B \-\-from\-borg1
2025-12-23 12:00:09 -05:00
other repository is Borg 1.x
2024-09-07 16:31:48 -04:00
.TP
2026-06-16 08:17:43 -04:00
.BI \-e \ ENCRYPTION\fR,\fB \ \-\-encryption \ ENCRYPTION
select cipher / AE algorithm: \(aqnone\(aq, \(aqauthenticated\(aq, \(aqaes256\-ocb\(aq or \(aqchacha20\-poly1305\(aq \fB(required)\fP
.TP
.BI \-i \ HASH\fR,\fB \ \-\-id\-hash \ HASH
select the id hash function: \(aqsha256\(aq (default) or \(aqblake3\(aq. The \(aqnone\(aq encryption only supports \(aqsha256\(aq.
.TP
.BI \-\-key\-location \ LOCATION
where to store the key: \(aqrepokey\(aq (in the repository, default) or \(aqkeyfile\(aq (in the local keys directory). Ignored for the \(aqnone\(aq mode (which has no key).
2017-02-05 08:22:06 -05:00
.TP
2022-08-07 13:20:34 -04:00
.B \-\-copy\-crypt\-key
2025-12-23 12:00:09 -05:00
copy the crypt_key (used for authenticated encryption) from the key of the other repository (default: new random key).
2017-02-05 08:22:06 -05:00
.UNINDENT
.SH EXAMPLES
.INDENT 0.0
.INDENT 3.5
.sp
2025-04-21 15:07:46 -04:00
.EX
2022-06-23 19:19:19 -04:00
# Local repository
$ export BORG_REPO=/path/to/repo
# Recommended AEAD cryptographic modes (key stored in the repository by default)
$ borg repo\-create \-\-encryption=aes\-ocb
$ borg repo\-create \-\-encryption=chacha20\-poly1305
$ borg repo\-create \-\-encryption=blake3\-aes\-ocb
$ borg repo\-create \-\-encryption=blake3\-chacha20\-poly1305
2025-12-23 12:00:09 -05:00
# No encryption (not recommended)
2024-09-08 11:52:10 -04:00
$ borg repo\-create \-\-encryption=authenticated
$ borg repo\-create \-\-encryption=authenticated\-blake3
2024-09-08 11:52:10 -04:00
$ borg repo\-create \-\-encryption=none
2017-02-05 08:22:06 -05:00
# The crypto suite (\-\-encryption) and where the key is stored (\-\-key\-location) are
# chosen independently. \-\-key\-location defaults to repokey.
# repokey: stores the encrypted key inside the repository
$ borg repo\-create \-\-encryption=aes\-ocb \-\-key\-location=repokey
2026-03-15 09:34:31 -04:00
# keyfile: stores the encrypted key in the config dir\(aqs keys/ subdir
# (e.g. ~/.config/borg/keys/ on Linux, ~/Library/Application Support/borg/keys/ on macOS)
$ borg repo\-create \-\-encryption=aes\-ocb \-\-key\-location=keyfile
2025-04-21 15:07:46 -04:00
.EE
2017-02-05 08:22:06 -05:00
.UNINDENT
.UNINDENT
.SH SEE ALSO
.sp
2024-09-08 11:52:10 -04:00
\fIborg\-common(1)\fP, \fIborg\-repo\-delete(1)\fP, \fIborg\-repo\-list(1)\fP, \fIborg\-check(1)\fP, \fIborg\-benchmark\-cpu(1)\fP, \fIborg\-key\-import(1)\fP, \fIborg\-key\-export(1)\fP, \fIborg\-key\-change\-passphrase(1)\fP
2026-03-15 09:34:31 -04:00
.SH Author
2017-02-05 08:22:06 -05:00
The Borg Collective
2026-03-15 09:34:31 -04:00
.\" End of generated man page.