From df67b9ea11541b9e788f207b243bcb92acbca77a Mon Sep 17 00:00:00 2001 From: Thalian Date: Sun, 15 Mar 2020 21:10:31 +0100 Subject: [PATCH 1/4] =?UTF-8?q?[DOCS]=20#3428=20=E2=80=93=20=20Borg=20repo?= =?UTF-8?q?=20restore=20instructions=20needed?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add new FAQ: A repo is corrupt and must be replaced with an older repo. --- docs/faq.rst | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/docs/faq.rst b/docs/faq.rst index 51852e910..64edee627 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -187,6 +187,38 @@ all the part files and manually concatenate them together. For more details, see :ref:`checkpoints_parts`. +My repository is corrupt, how can I restore from an older but working repository? +--------------------------------------------------------------------------------- + +If the working repo has the same ID as the corrupt one, the recommended method +is to delete the corrupted repository, and then copy the working repository to +the same location. The delete command will completely remove the corrupt repo +and delete the corresponding cache and security subdirectory in +``~/.config/borg/security``, including the nonce value (if encryption is used). +When the working repo is used later for creating new archives, Borg would +initialize a fresh nonce, which would be bad for security reasons (nonce values +should never be reused). To prevent this, the security subdirectory should be +saved before deleting, and later moved back into place. + +Example: + +:: + + # Get the repo ID from repo config. + REPO_ID=$(borg config /path/to/repo-good id) + + # Rename the repo security dir so Borg won't delete it. + cd ~/.config/borg/security + mv $REPO_ID $REPO_ID.backup + + # Now delete and rename the security dir back. + borg delete /path/to/repo + mv $REPO_ID.backup $REPO_ID + + # Finally copy the good repo to the original place. + rsync -avH /path/to/repo-good /path/to/repo + + Can Borg add redundancy to the backup data to deal with hardware malfunction? ----------------------------------------------------------------------------- From 92b577e46f349e845e06533a0915ba1f0f71ead3 Mon Sep 17 00:00:00 2001 From: Thalian Date: Thu, 26 Mar 2020 07:18:07 +0100 Subject: [PATCH 2/4] [FEATURE] Delete option to keep security info When deleting a repository there is now an option --keep-security-info to leave the security info untouched. It can be used afterwards with an older copy of the repo but current nonce to not breach security. --- src/borg/archiver.py | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/src/borg/archiver.py b/src/borg/archiver.py index 861c1256c..6b2d61590 100644 --- a/src/borg/archiver.py +++ b/src/borg/archiver.py @@ -1183,6 +1183,7 @@ class Archiver: def _delete_repository(self, args, repository): """Delete a repository""" dry_run = args.dry_run + keep_security_info = args.keep_security_info if not args.cache_only: msg = [] @@ -1207,9 +1208,14 @@ class Archiver: if not dry_run: repository.destroy() logger.info("Repository deleted.") - SecurityManager.destroy(repository) + if not keep_security_info: + SecurityManager.destroy(repository) else: logger.info("Would delete repository.") + if keep_security_info: + logger.info("Would keep security info.") + else: + logger.info("Would delete security info.") if not dry_run: Cache.destroy(repository) logger.info("Cache deleted.") @@ -3352,9 +3358,10 @@ class Archiver: Important: When deleting archives, repository disk space is **not** freed until you run ``borg compact``. - If you delete the complete repository, the local cache for it (if any) is - also deleted. Alternatively, you can delete just the local cache with the - ``--cache-only`` option. + When you delete a complete repository, the security info and local cache for it + (if any) is also deleted. Alternatively, you can delete just the local cache + with the ``--cache-only`` option, or keep the security info with the + ``--keep-security-info`` option. When using ``--stats``, you will get some statistics about how much data was deleted - the "Deleted data" deduplicated size there is most interesting as @@ -3383,10 +3390,11 @@ class Archiver: help='print statistics for the deleted archive') subparser.add_argument('--cache-only', dest='cache_only', action='store_true', help='delete only the local cache for the given repository') - subparser.add_argument('--force', dest='forced', - action='count', default=0, + subparser.add_argument('--force', dest='forced', action='count', default=0, help='force deletion of corrupted archives, ' 'use ``--force --force`` in case ``--force`` does not work.') + subparser.add_argument('--keep-security-info', dest='keep_security_info', action='store_true', + help='keep the local security info when deleting a repository') subparser.add_argument('--save-space', dest='save_space', action='store_true', help='work slower, but using less space') subparser.add_argument('location', metavar='REPOSITORY_OR_ARCHIVE', nargs='?', default='', From 41ecd1ae30a1520b264a29ff59f16b21d61571c8 Mon Sep 17 00:00:00 2001 From: Thalian Date: Thu, 26 Mar 2020 07:41:32 +0100 Subject: [PATCH 3/4] =?UTF-8?q?[DOCS]=20#3428=20=E2=80=93=20=20Borg=20repo?= =?UTF-8?q?=20restore=20instructions=20needed?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adapt FAQ to the new delete option. --- docs/faq.rst | 39 +++++++++++++------------------------ docs/internals/security.rst | 2 ++ 2 files changed, 15 insertions(+), 26 deletions(-) diff --git a/docs/faq.rst b/docs/faq.rst index 64edee627..7624bcf3b 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -187,37 +187,24 @@ all the part files and manually concatenate them together. For more details, see :ref:`checkpoints_parts`. -My repository is corrupt, how can I restore from an older but working repository? ---------------------------------------------------------------------------------- +My repository is corrupt, how can I restore from an older copy of it? +--------------------------------------------------------------------- -If the working repo has the same ID as the corrupt one, the recommended method -is to delete the corrupted repository, and then copy the working repository to -the same location. The delete command will completely remove the corrupt repo -and delete the corresponding cache and security subdirectory in -``~/.config/borg/security``, including the nonce value (if encryption is used). -When the working repo is used later for creating new archives, Borg would -initialize a fresh nonce, which would be bad for security reasons (nonce values -should never be reused). To prevent this, the security subdirectory should be -saved before deleting, and later moved back into place. - -Example: +If your repositories are encrypted and have the same ID, the recommended method +is to delete the corrupted repository, but keep its security info, and then copy +the working repository to the same location: :: - # Get the repo ID from repo config. - REPO_ID=$(borg config /path/to/repo-good id) - - # Rename the repo security dir so Borg won't delete it. - cd ~/.config/borg/security - mv $REPO_ID $REPO_ID.backup - - # Now delete and rename the security dir back. - borg delete /path/to/repo - mv $REPO_ID.backup $REPO_ID - - # Finally copy the good repo to the original place. - rsync -avH /path/to/repo-good /path/to/repo + borg delete --keep-security-info /path/to/repo + rsync -aH /path/to/repo-working/ /path/to/repo # Note the trailing slash. +A plain delete command would remove the security info in +``~/.config/borg/security``, including the nonce value. In BorgBackup +:ref:`security_encryption` is AES-CTR, where the nonce is a counter. When the +working repo was used later for creating new archives, Borg would initialize a +fresh nonce, which would be bad for security reasons. To prevent this, the +``keep-security-info`` option is applied so that the nonce counter is kept. Can Borg add redundancy to the backup data to deal with hardware malfunction? ----------------------------------------------------------------------------- diff --git a/docs/internals/security.rst b/docs/internals/security.rst index 3d1717fa2..ac26bc5f0 100644 --- a/docs/internals/security.rst +++ b/docs/internals/security.rst @@ -118,6 +118,8 @@ prompt is a set BORG_PASSPHRASE. See issue :issue:`2169` for details. manifest this way, while a changed layout would have broken compatibility. +.. _security_encryption: + Encryption ---------- From 1d9dadd6b73e387560c314e7810d29424c838c5e Mon Sep 17 00:00:00 2001 From: Thalian Date: Fri, 3 Apr 2020 17:40:30 +0200 Subject: [PATCH 4/4] =?UTF-8?q?[DOCS]=20#4883=20=E2=80=93=20Borg=20documen?= =?UTF-8?q?tation=20downplays=20severity=20of=20Nonce=20reuse=20issue?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Shorten the log info for deleting/keeping security info. Fix bad wording. --- docs/faq.rst | 7 ++++--- src/borg/archiver.py | 7 ++----- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/docs/faq.rst b/docs/faq.rst index 7624bcf3b..44f78c99b 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -202,9 +202,10 @@ the working repository to the same location: A plain delete command would remove the security info in ``~/.config/borg/security``, including the nonce value. In BorgBackup :ref:`security_encryption` is AES-CTR, where the nonce is a counter. When the -working repo was used later for creating new archives, Borg would initialize a -fresh nonce, which would be bad for security reasons. To prevent this, the -``keep-security-info`` option is applied so that the nonce counter is kept. +working repo was used later for creating new archives, Borg would re-use nonce +values due to starting from a lower counter value given by the older copy of the +repository. To prevent this, the ``keep-security-info`` option is applied so +that the client-side nonce counter is kept. Can Borg add redundancy to the backup data to deal with hardware malfunction? ----------------------------------------------------------------------------- diff --git a/src/borg/archiver.py b/src/borg/archiver.py index 6b2d61590..9f1b22a57 100644 --- a/src/borg/archiver.py +++ b/src/borg/archiver.py @@ -1212,10 +1212,7 @@ class Archiver: SecurityManager.destroy(repository) else: logger.info("Would delete repository.") - if keep_security_info: - logger.info("Would keep security info.") - else: - logger.info("Would delete security info.") + logger.info("Would %s security info." % ("keep" if keep_security_info else "delete")) if not dry_run: Cache.destroy(repository) logger.info("Cache deleted.") @@ -3359,7 +3356,7 @@ class Archiver: you run ``borg compact``. When you delete a complete repository, the security info and local cache for it - (if any) is also deleted. Alternatively, you can delete just the local cache + (if any) are also deleted. Alternatively, you can delete just the local cache with the ``--cache-only`` option, or keep the security info with the ``--keep-security-info`` option.