borgbackup/docs/man/borg-repo-create.1
2026-06-16 14:17:43 +02:00

238 lines
9.7 KiB
Groff

.\" Man page generated from reStructuredText
.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "borg-repo-create" "1" "2026-06-16" "" "borg backup tool"
.SH Name
borg-repo-create \- Creates a new, empty repository.
.SH SYNOPSIS
.sp
borg [common options] repo\-create [options]
.SH DESCRIPTION
.sp
This command creates a new, empty repository. A repository is a \fBborgstore\fP store
containing the deduplicated data from zero or more archives.
.sp
Repository creation can be quite slow for some kinds of stores (e.g. for \fBsftp:\fP) \-
this is due to borgstore pre\-creating all directories needed, making usage of the
store faster.
.SS Encryption mode TL;DR
.sp
The encryption mode can only be configured when creating a new repository \- you can
neither configure it on a per\-archive basis nor change the mode of an existing repository.
This example will likely NOT give optimum performance on your machine (performance
tips will come below):
.INDENT 0.0
.INDENT 3.5
.sp
.EX
borg repo\-create \-\-encryption aes256\-ocb \-\-key\-location repokey
.EE
.UNINDENT
.UNINDENT
.sp
Borg will:
.INDENT 0.0
.IP 1. 3
Ask you to come up with a passphrase.
.IP 2. 3
Create a borg key (which contains some random secrets. See \fIkey_files\fP).
.IP 3. 3
Derive a \(dqkey encryption key\(dq from your passphrase
.IP 4. 3
Encrypt and sign the key with the key encryption key
.IP 5. 3
Store the encrypted borg key inside the repository directory (in the repo config).
This is why it is essential to use a secure passphrase.
.IP 6. 3
Encrypt and sign your backups to prevent anyone from reading or forging them unless they
have the key and know the passphrase. Make sure to keep a backup of
your key \fBoutside\fP the repository \- do not lock yourself out by
\(dqleaving your keys inside your car\(dq (see \fIborg_key_export\fP).
The encryption is done locally \- if you use a remote repository, the remote machine
never sees your passphrase, your unencrypted key or your unencrypted files.
Chunking and ID generation are also based on your key to improve
your privacy.
.IP 7. 3
Use the key when extracting files to decrypt them and to verify that the contents of
the backups have not been accidentally or maliciously altered.
.UNINDENT
.SS Picking a passphrase
.sp
Make sure you use a good passphrase. Not too short, not too simple. The real
encryption / decryption key is encrypted with / locked by your passphrase.
If an attacker gets your key, they cannot unlock and use it without knowing the
passphrase.
.sp
Be careful with special or non\-ASCII characters in your passphrase:
.INDENT 0.0
.IP \(bu 2
Borg processes the passphrase as Unicode (and encodes it as UTF\-8),
so it does not have problems dealing with even the strangest characters.
.IP \(bu 2
BUT: that does not necessarily apply to your OS/VM/keyboard configuration.
.UNINDENT
.sp
So better use a long passphrase made from simple ASCII characters than one that
includes non\-ASCII stuff or characters that are hard or impossible to enter on
a different keyboard layout.
.sp
You can change your passphrase for existing repositories at any time; it will not affect
the encryption/decryption key or other secrets.
.SS Choosing a crypto suite
.sp
Depending on your hardware, hashing and crypto performance may vary widely.
The easiest way to find out what is fastest is to run \fBborg benchmark cpu\fP\&.
.sp
A crypto suite is selected by three orthogonal options:
.sp
\fB\-\-encryption\fP (\fBrequired\fP) selects the cipher / authenticated\-encryption algorithm:
.INDENT 0.0
.IP \(bu 2
\fBaes256\-ocb\fP: AES256 in OCB mode (encryption + authentication).
.IP \(bu 2
\fBchacha20\-poly1305\fP: ChaCha20 + Poly1305 (encryption + authentication).
.IP \(bu 2
\fBauthenticated\fP: no encryption, but still authenticates your data (tamper detection).
.IP \(bu 2
\fBnone\fP: no encryption and no authentication (see the warning below).
.UNINDENT
.sp
\fB\-\-id\-hash\fP selects the id hash function (used for chunk ids and authentication):
.INDENT 0.0
.IP \(bu 2
\fBsha256\fP (default): HMAC\-SHA\-256 (or plain SHA\-256 for the \fBnone\fP encryption).
.IP \(bu 2
\fBblake3\fP: BLAKE3. Often faster on CPUs without SHA hardware acceleration.
.UNINDENT
.sp
The \fBnone\fP encryption has no key, so it only supports the \fBsha256\fP id hash.
.sp
\fB\-\-key\-location\fP selects where the key is stored (orthogonal to the crypto suite):
.INDENT 0.0
.IP \(bu 2
\fBrepokey\fP (default): the key is stored in the repository (under \fBkeys/\fP). Pick this
if you want ease\-of\-use and \(dqpassphrase\(dq security is good enough.
.IP \(bu 2
\fBkeyfile\fP: the key is stored in your home directory (in \fB~/.config/borg/keys\fP). Pick
this if you want \(dqpassphrase and having\-the\-key\(dq security.
.UNINDENT
.sp
You can move the key between these locations later with \fBborg key change\-location\fP\&.
This also applies to the \fBauthenticated\fP encryption: it does not encrypt your data, but it
still has a key (used for the id hash and authentication), so \fB\-\-key\-location\fP selects
where that key is stored, just like for the encrypted suites.
\fB\-\-key\-location\fP is only ignored for the \fBnone\fP encryption, which has no key at all.
.sp
\fInone\fP encryption uses no encryption and no authentication. You are advised NOT to use this
as it would expose you to a Denial\-of\-Service risk (due to how the \fIinternals_hashindex\fP
works) and other issues (confidentiality, tampering, ...) in case of malicious activity
in the repository.
.sp
If you do \fBnot\fP want to encrypt the contents of your backups, but still want to detect
malicious tampering, use \fB\-\-encryption authenticated\fP\&. It is like an encrypted suite
minus the data encryption.
To normally work with \fBauthenticated\fP repositories, you will need the passphrase, but
there is an emergency workaround; see \fBBORG_WORKAROUNDS=authenticated_no_key\fP docs.
.SS Creating a related repository
.sp
You can use \fBborg repo\-create \-\-other\-repo ORIG_REPO ...\fP to create a related repository
that uses the same secret key material as the given other/original repository.
.sp
By default, only the ID key and chunker secret will be the same (these are important
for deduplication) and the AE crypto keys will be newly generated random keys.
.sp
Optionally, if you use \fB\-\-copy\-crypt\-key\fP you can also keep the same crypt_key
(used for authenticated encryption). This might be desired, for example, if you want to have fewer
keys to manage.
.sp
Creating related repositories is useful, for example, if you want to use \fBborg transfer\fP later.
.SS Creating a related repository for data migration from Borg 1.2 or 1.4
.sp
You can use \fBborg repo\-create \-\-other\-repo ORIG_REPO \-\-from\-borg1 ...\fP to create a related
repository that uses the same secret key material as the given other/original repository.
.sp
Then use \fBborg transfer \-\-other\-repo ORIG_REPO \-\-from\-borg1 ...\fP to transfer the archives.
.SH OPTIONS
.sp
See \fIborg\-common(1)\fP for common options of Borg commands.
.SS options
.INDENT 0.0
.TP
.BI \-\-other\-repo \ SRC_REPOSITORY
reuse the key material from the other repository
.TP
.B \-\-from\-borg1
other repository is Borg 1.x
.TP
.BI \-e \ ENCRYPTION\fR,\fB \ \-\-encryption \ ENCRYPTION
select cipher / AE algorithm: \(aqnone\(aq, \(aqauthenticated\(aq, \(aqaes256\-ocb\(aq or \(aqchacha20\-poly1305\(aq \fB(required)\fP
.TP
.BI \-i \ HASH\fR,\fB \ \-\-id\-hash \ HASH
select the id hash function: \(aqsha256\(aq (default) or \(aqblake3\(aq. The \(aqnone\(aq encryption only supports \(aqsha256\(aq.
.TP
.BI \-\-key\-location \ LOCATION
where to store the key: \(aqrepokey\(aq (in the repository, default) or \(aqkeyfile\(aq (in the local keys directory). Ignored for the \(aqnone\(aq mode (which has no key).
.TP
.B \-\-copy\-crypt\-key
copy the crypt_key (used for authenticated encryption) from the key of the other repository (default: new random key).
.UNINDENT
.SH EXAMPLES
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# Local repository
$ export BORG_REPO=/path/to/repo
# Recommended AEAD cryptographic modes (key stored in the repository by default)
$ borg repo\-create \-\-encryption=aes\-ocb
$ borg repo\-create \-\-encryption=chacha20\-poly1305
$ borg repo\-create \-\-encryption=blake3\-aes\-ocb
$ borg repo\-create \-\-encryption=blake3\-chacha20\-poly1305
# No encryption (not recommended)
$ borg repo\-create \-\-encryption=authenticated
$ borg repo\-create \-\-encryption=authenticated\-blake3
$ borg repo\-create \-\-encryption=none
# The crypto suite (\-\-encryption) and where the key is stored (\-\-key\-location) are
# chosen independently. \-\-key\-location defaults to repokey.
# repokey: stores the encrypted key inside the repository
$ borg repo\-create \-\-encryption=aes\-ocb \-\-key\-location=repokey
# keyfile: stores the encrypted key in the config dir\(aqs keys/ subdir
# (e.g. ~/.config/borg/keys/ on Linux, ~/Library/Application Support/borg/keys/ on macOS)
$ borg repo\-create \-\-encryption=aes\-ocb \-\-key\-location=keyfile
.EE
.UNINDENT
.UNINDENT
.SH SEE ALSO
.sp
\fIborg\-common(1)\fP, \fIborg\-repo\-delete(1)\fP, \fIborg\-repo\-list(1)\fP, \fIborg\-check(1)\fP, \fIborg\-benchmark\-cpu(1)\fP, \fIborg\-key\-import(1)\fP, \fIborg\-key\-export(1)\fP, \fIborg\-key\-change\-passphrase(1)\fP
.SH Author
The Borg Collective
.\" End of generated man page.