mirror of
https://github.com/borgbackup/borg.git
synced 2026-07-10 10:42:09 -04:00
238 lines
9.7 KiB
Groff
238 lines
9.7 KiB
Groff
.\" Man page generated from reStructuredText
|
|
.\" by the Docutils 0.22.4 manpage writer.
|
|
.
|
|
.
|
|
.nr rst2man-indent-level 0
|
|
.
|
|
.de1 rstReportMargin
|
|
\\$1 \\n[an-margin]
|
|
level \\n[rst2man-indent-level]
|
|
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
-
|
|
\\n[rst2man-indent0]
|
|
\\n[rst2man-indent1]
|
|
\\n[rst2man-indent2]
|
|
..
|
|
.de1 INDENT
|
|
.\" .rstReportMargin pre:
|
|
. RS \\$1
|
|
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
. nr rst2man-indent-level +1
|
|
.\" .rstReportMargin post:
|
|
..
|
|
.de UNINDENT
|
|
. RE
|
|
.\" indent \\n[an-margin]
|
|
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.nr rst2man-indent-level -1
|
|
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
..
|
|
.TH "borg-repo-create" "1" "2026-06-16" "" "borg backup tool"
|
|
.SH Name
|
|
borg-repo-create \- Creates a new, empty repository.
|
|
.SH SYNOPSIS
|
|
.sp
|
|
borg [common options] repo\-create [options]
|
|
.SH DESCRIPTION
|
|
.sp
|
|
This command creates a new, empty repository. A repository is a \fBborgstore\fP store
|
|
containing the deduplicated data from zero or more archives.
|
|
.sp
|
|
Repository creation can be quite slow for some kinds of stores (e.g. for \fBsftp:\fP) \-
|
|
this is due to borgstore pre\-creating all directories needed, making usage of the
|
|
store faster.
|
|
.SS Encryption mode TL;DR
|
|
.sp
|
|
The encryption mode can only be configured when creating a new repository \- you can
|
|
neither configure it on a per\-archive basis nor change the mode of an existing repository.
|
|
This example will likely NOT give optimum performance on your machine (performance
|
|
tips will come below):
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.sp
|
|
.EX
|
|
borg repo\-create \-\-encryption aes256\-ocb \-\-key\-location repokey
|
|
.EE
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
Borg will:
|
|
.INDENT 0.0
|
|
.IP 1. 3
|
|
Ask you to come up with a passphrase.
|
|
.IP 2. 3
|
|
Create a borg key (which contains some random secrets. See \fIkey_files\fP).
|
|
.IP 3. 3
|
|
Derive a \(dqkey encryption key\(dq from your passphrase
|
|
.IP 4. 3
|
|
Encrypt and sign the key with the key encryption key
|
|
.IP 5. 3
|
|
Store the encrypted borg key inside the repository directory (in the repo config).
|
|
This is why it is essential to use a secure passphrase.
|
|
.IP 6. 3
|
|
Encrypt and sign your backups to prevent anyone from reading or forging them unless they
|
|
have the key and know the passphrase. Make sure to keep a backup of
|
|
your key \fBoutside\fP the repository \- do not lock yourself out by
|
|
\(dqleaving your keys inside your car\(dq (see \fIborg_key_export\fP).
|
|
The encryption is done locally \- if you use a remote repository, the remote machine
|
|
never sees your passphrase, your unencrypted key or your unencrypted files.
|
|
Chunking and ID generation are also based on your key to improve
|
|
your privacy.
|
|
.IP 7. 3
|
|
Use the key when extracting files to decrypt them and to verify that the contents of
|
|
the backups have not been accidentally or maliciously altered.
|
|
.UNINDENT
|
|
.SS Picking a passphrase
|
|
.sp
|
|
Make sure you use a good passphrase. Not too short, not too simple. The real
|
|
encryption / decryption key is encrypted with / locked by your passphrase.
|
|
If an attacker gets your key, they cannot unlock and use it without knowing the
|
|
passphrase.
|
|
.sp
|
|
Be careful with special or non\-ASCII characters in your passphrase:
|
|
.INDENT 0.0
|
|
.IP \(bu 2
|
|
Borg processes the passphrase as Unicode (and encodes it as UTF\-8),
|
|
so it does not have problems dealing with even the strangest characters.
|
|
.IP \(bu 2
|
|
BUT: that does not necessarily apply to your OS/VM/keyboard configuration.
|
|
.UNINDENT
|
|
.sp
|
|
So better use a long passphrase made from simple ASCII characters than one that
|
|
includes non\-ASCII stuff or characters that are hard or impossible to enter on
|
|
a different keyboard layout.
|
|
.sp
|
|
You can change your passphrase for existing repositories at any time; it will not affect
|
|
the encryption/decryption key or other secrets.
|
|
.SS Choosing a crypto suite
|
|
.sp
|
|
Depending on your hardware, hashing and crypto performance may vary widely.
|
|
The easiest way to find out what is fastest is to run \fBborg benchmark cpu\fP\&.
|
|
.sp
|
|
A crypto suite is selected by three orthogonal options:
|
|
.sp
|
|
\fB\-\-encryption\fP (\fBrequired\fP) selects the cipher / authenticated\-encryption algorithm:
|
|
.INDENT 0.0
|
|
.IP \(bu 2
|
|
\fBaes256\-ocb\fP: AES256 in OCB mode (encryption + authentication).
|
|
.IP \(bu 2
|
|
\fBchacha20\-poly1305\fP: ChaCha20 + Poly1305 (encryption + authentication).
|
|
.IP \(bu 2
|
|
\fBauthenticated\fP: no encryption, but still authenticates your data (tamper detection).
|
|
.IP \(bu 2
|
|
\fBnone\fP: no encryption and no authentication (see the warning below).
|
|
.UNINDENT
|
|
.sp
|
|
\fB\-\-id\-hash\fP selects the id hash function (used for chunk ids and authentication):
|
|
.INDENT 0.0
|
|
.IP \(bu 2
|
|
\fBsha256\fP (default): HMAC\-SHA\-256 (or plain SHA\-256 for the \fBnone\fP encryption).
|
|
.IP \(bu 2
|
|
\fBblake3\fP: BLAKE3. Often faster on CPUs without SHA hardware acceleration.
|
|
.UNINDENT
|
|
.sp
|
|
The \fBnone\fP encryption has no key, so it only supports the \fBsha256\fP id hash.
|
|
.sp
|
|
\fB\-\-key\-location\fP selects where the key is stored (orthogonal to the crypto suite):
|
|
.INDENT 0.0
|
|
.IP \(bu 2
|
|
\fBrepokey\fP (default): the key is stored in the repository (under \fBkeys/\fP). Pick this
|
|
if you want ease\-of\-use and \(dqpassphrase\(dq security is good enough.
|
|
.IP \(bu 2
|
|
\fBkeyfile\fP: the key is stored in your home directory (in \fB~/.config/borg/keys\fP). Pick
|
|
this if you want \(dqpassphrase and having\-the\-key\(dq security.
|
|
.UNINDENT
|
|
.sp
|
|
You can move the key between these locations later with \fBborg key change\-location\fP\&.
|
|
This also applies to the \fBauthenticated\fP encryption: it does not encrypt your data, but it
|
|
still has a key (used for the id hash and authentication), so \fB\-\-key\-location\fP selects
|
|
where that key is stored, just like for the encrypted suites.
|
|
\fB\-\-key\-location\fP is only ignored for the \fBnone\fP encryption, which has no key at all.
|
|
.sp
|
|
\fInone\fP encryption uses no encryption and no authentication. You are advised NOT to use this
|
|
as it would expose you to a Denial\-of\-Service risk (due to how the \fIinternals_hashindex\fP
|
|
works) and other issues (confidentiality, tampering, ...) in case of malicious activity
|
|
in the repository.
|
|
.sp
|
|
If you do \fBnot\fP want to encrypt the contents of your backups, but still want to detect
|
|
malicious tampering, use \fB\-\-encryption authenticated\fP\&. It is like an encrypted suite
|
|
minus the data encryption.
|
|
To normally work with \fBauthenticated\fP repositories, you will need the passphrase, but
|
|
there is an emergency workaround; see \fBBORG_WORKAROUNDS=authenticated_no_key\fP docs.
|
|
.SS Creating a related repository
|
|
.sp
|
|
You can use \fBborg repo\-create \-\-other\-repo ORIG_REPO ...\fP to create a related repository
|
|
that uses the same secret key material as the given other/original repository.
|
|
.sp
|
|
By default, only the ID key and chunker secret will be the same (these are important
|
|
for deduplication) and the AE crypto keys will be newly generated random keys.
|
|
.sp
|
|
Optionally, if you use \fB\-\-copy\-crypt\-key\fP you can also keep the same crypt_key
|
|
(used for authenticated encryption). This might be desired, for example, if you want to have fewer
|
|
keys to manage.
|
|
.sp
|
|
Creating related repositories is useful, for example, if you want to use \fBborg transfer\fP later.
|
|
.SS Creating a related repository for data migration from Borg 1.2 or 1.4
|
|
.sp
|
|
You can use \fBborg repo\-create \-\-other\-repo ORIG_REPO \-\-from\-borg1 ...\fP to create a related
|
|
repository that uses the same secret key material as the given other/original repository.
|
|
.sp
|
|
Then use \fBborg transfer \-\-other\-repo ORIG_REPO \-\-from\-borg1 ...\fP to transfer the archives.
|
|
.SH OPTIONS
|
|
.sp
|
|
See \fIborg\-common(1)\fP for common options of Borg commands.
|
|
.SS options
|
|
.INDENT 0.0
|
|
.TP
|
|
.BI \-\-other\-repo \ SRC_REPOSITORY
|
|
reuse the key material from the other repository
|
|
.TP
|
|
.B \-\-from\-borg1
|
|
other repository is Borg 1.x
|
|
.TP
|
|
.BI \-e \ ENCRYPTION\fR,\fB \ \-\-encryption \ ENCRYPTION
|
|
select cipher / AE algorithm: \(aqnone\(aq, \(aqauthenticated\(aq, \(aqaes256\-ocb\(aq or \(aqchacha20\-poly1305\(aq \fB(required)\fP
|
|
.TP
|
|
.BI \-i \ HASH\fR,\fB \ \-\-id\-hash \ HASH
|
|
select the id hash function: \(aqsha256\(aq (default) or \(aqblake3\(aq. The \(aqnone\(aq encryption only supports \(aqsha256\(aq.
|
|
.TP
|
|
.BI \-\-key\-location \ LOCATION
|
|
where to store the key: \(aqrepokey\(aq (in the repository, default) or \(aqkeyfile\(aq (in the local keys directory). Ignored for the \(aqnone\(aq mode (which has no key).
|
|
.TP
|
|
.B \-\-copy\-crypt\-key
|
|
copy the crypt_key (used for authenticated encryption) from the key of the other repository (default: new random key).
|
|
.UNINDENT
|
|
.SH EXAMPLES
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.sp
|
|
.EX
|
|
# Local repository
|
|
$ export BORG_REPO=/path/to/repo
|
|
# Recommended AEAD cryptographic modes (key stored in the repository by default)
|
|
$ borg repo\-create \-\-encryption=aes\-ocb
|
|
$ borg repo\-create \-\-encryption=chacha20\-poly1305
|
|
$ borg repo\-create \-\-encryption=blake3\-aes\-ocb
|
|
$ borg repo\-create \-\-encryption=blake3\-chacha20\-poly1305
|
|
# No encryption (not recommended)
|
|
$ borg repo\-create \-\-encryption=authenticated
|
|
$ borg repo\-create \-\-encryption=authenticated\-blake3
|
|
$ borg repo\-create \-\-encryption=none
|
|
|
|
# The crypto suite (\-\-encryption) and where the key is stored (\-\-key\-location) are
|
|
# chosen independently. \-\-key\-location defaults to repokey.
|
|
# repokey: stores the encrypted key inside the repository
|
|
$ borg repo\-create \-\-encryption=aes\-ocb \-\-key\-location=repokey
|
|
# keyfile: stores the encrypted key in the config dir\(aqs keys/ subdir
|
|
# (e.g. ~/.config/borg/keys/ on Linux, ~/Library/Application Support/borg/keys/ on macOS)
|
|
$ borg repo\-create \-\-encryption=aes\-ocb \-\-key\-location=keyfile
|
|
.EE
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.SH SEE ALSO
|
|
.sp
|
|
\fIborg\-common(1)\fP, \fIborg\-repo\-delete(1)\fP, \fIborg\-repo\-list(1)\fP, \fIborg\-check(1)\fP, \fIborg\-benchmark\-cpu(1)\fP, \fIborg\-key\-import(1)\fP, \fIborg\-key\-export(1)\fP, \fIborg\-key\-change\-passphrase(1)\fP
|
|
.SH Author
|
|
The Borg Collective
|
|
.\" End of generated man page.
|