1
0
Fork 0
mirror of https://github.com/borgbackup/borg.git synced 2024-12-24 08:45:13 +00:00
borg/docs/man/borg-rcreate.1

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

285 lines
7.9 KiB
Groff
Raw Normal View History

2017-02-05 13:22:06 +00:00
.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
2023-02-26 20:30:54 +00:00
.TH "BORG-RCREATE" 1 "2023-02-26" "" "borg backup tool"
2022-06-23 23:19:19 +00:00
.SH NAME
borg-rcreate \- Create a new, empty repository
2017-02-05 13:22:06 +00:00
.SH SYNOPSIS
.sp
2022-06-23 23:19:19 +00:00
borg [common options] rcreate [options]
2017-02-05 13:22:06 +00:00
.SH DESCRIPTION
.sp
2022-06-23 23:19:19 +00:00
This command creates a new, empty repository. A repository is a filesystem
2017-02-05 13:22:06 +00:00
directory containing the deduplicated data from zero or more archives.
2022-02-19 17:48:13 +00:00
.SS Encryption mode TLDR
2017-02-05 13:22:06 +00:00
.sp
2022-04-14 19:13:46 +00:00
The encryption mode can only be configured when creating a new repository \- you can
neither configure it on a per\-archive basis nor change the mode of an existing repository.
This example will likely NOT give optimum performance on your machine (performance
tips will come below):
2022-02-19 17:48:13 +00:00
.INDENT 0.0
.INDENT 3.5
2020-04-21 20:59:27 +00:00
.sp
2022-02-19 17:48:13 +00:00
.nf
.ft C
2022-06-23 23:19:19 +00:00
borg rcreate \-\-encryption repokey\-aes\-ocb
2022-02-19 17:48:13 +00:00
.ft P
.fi
.UNINDENT
.UNINDENT
2017-02-05 13:22:06 +00:00
.sp
2022-02-19 17:48:13 +00:00
Borg will:
.INDENT 0.0
.IP 1. 3
Ask you to come up with a passphrase.
.IP 2. 3
2022-04-14 19:13:46 +00:00
Create a borg key (which contains some random secrets. See \fIkey_files\fP).
2022-02-19 17:48:13 +00:00
.IP 3. 3
2022-09-10 14:03:27 +00:00
Derive a \(dqkey encryption key\(dq from your passphrase
2022-02-19 17:48:13 +00:00
.IP 4. 3
2022-04-14 19:13:46 +00:00
Encrypt and sign the key with the key encryption key
.IP 5. 3
2022-02-19 17:48:13 +00:00
Store the encrypted borg key inside the repository directory (in the repo config).
This is why it is essential to use a secure passphrase.
2022-04-14 19:13:46 +00:00
.IP 6. 3
2022-02-19 17:48:13 +00:00
Encrypt and sign your backups to prevent anyone from reading or forging them unless they
have the key and know the passphrase. Make sure to keep a backup of
your key \fBoutside\fP the repository \- do not lock yourself out by
2022-09-10 14:03:27 +00:00
\(dqleaving your keys inside your car\(dq (see \fIborg_key_export\fP).
2022-08-03 20:19:12 +00:00
The encryption is done locally \- if you use a remote repository, the remote machine
2022-02-19 17:48:13 +00:00
never sees your passphrase, your unencrypted key or your unencrypted files.
Chunking and id generation are also based on your key to improve
your privacy.
2022-04-14 19:13:46 +00:00
.IP 7. 3
2022-02-19 17:48:13 +00:00
Use the key when extracting files to decrypt them and to verify that the contents of
the backups have not been accidentally or maliciously altered.
.UNINDENT
.SS Picking a passphrase
2017-02-05 13:22:06 +00:00
.sp
Make sure you use a good passphrase. Not too short, not too simple. The real
encryption / decryption key is encrypted with / locked by your passphrase.
If an attacker gets your key, he can\(aqt unlock and use it without knowing the
passphrase.
.sp
Be careful with special or non\-ascii characters in your passphrase:
.INDENT 0.0
.IP \(bu 2
Borg processes the passphrase as unicode (and encodes it as utf\-8),
so it does not have problems dealing with even the strangest characters.
.IP \(bu 2
BUT: that does not necessarily apply to your OS / VM / keyboard configuration.
.UNINDENT
.sp
So better use a long passphrase made from simple ascii chars than one that
includes non\-ascii stuff or characters that are hard/impossible to enter on
a different keyboard layout.
.sp
You can change your passphrase for existing repos at any time, it won\(aqt affect
the encryption/decryption key or other secrets.
2022-04-14 19:13:46 +00:00
.SS Choosing an encryption mode
2022-02-19 17:48:13 +00:00
.sp
2022-04-14 19:13:46 +00:00
Depending on your hardware, hashing and crypto performance may vary widely.
The easiest way to find out about what\(aqs fastest is to run \fBborg benchmark cpu\fP\&.
2022-02-19 17:48:13 +00:00
.sp
2022-09-10 14:03:27 +00:00
\fIrepokey\fP modes: if you want ease\-of\-use and \(dqpassphrase\(dq security is good enough \-
2022-04-14 19:13:46 +00:00
the key will be stored in the repository (in \fBrepo_dir/config\fP).
2020-04-21 20:59:27 +00:00
.sp
\fIkeyfile\fP modes: if you want \(dqpassphrase and having\-the\-key\(dq security \-
2022-04-14 19:13:46 +00:00
the key will be stored in your home directory (in \fB~/.config/borg/keys\fP).
2020-04-21 20:59:27 +00:00
.sp
2022-04-14 19:13:46 +00:00
The following table is roughly sorted in order of preference, the better ones are
in the upper part of the table, in the lower part is the old and/or unsafe(r) stuff:
2017-06-18 10:13:28 +00:00
.\" nanorst: inline-fill
.
.TS
center;
2022-08-03 20:19:12 +00:00
|l|l|l|l|.
_
T{
2022-06-23 23:19:19 +00:00
Mode (K = keyfile or repokey)
T} T{
2022-06-23 23:19:19 +00:00
ID\-Hash
T} T{
2022-06-23 23:19:19 +00:00
Encryption
T} T{
2022-06-23 23:19:19 +00:00
Authentication
T}
_
T{
2022-06-23 23:19:19 +00:00
K\-blake2\-chacha20\-poly1305
T} T{
2022-04-14 19:13:46 +00:00
BLAKE2b
T} T{
CHACHA20
T} T{
POLY1305
T}
_
T{
2022-06-23 23:19:19 +00:00
K\-chacha20\-poly1305
2022-04-14 19:13:46 +00:00
T} T{
HMAC\-SHA\-256
T} T{
CHACHA20
T} T{
POLY1305
T}
_
T{
2022-06-23 23:19:19 +00:00
K\-blake2\-aes\-ocb
2022-04-14 19:13:46 +00:00
T} T{
BLAKE2b
T} T{
AES256\-OCB
T} T{
AES256\-OCB
T}
_
T{
2022-06-23 23:19:19 +00:00
K\-aes\-ocb
2022-04-14 19:13:46 +00:00
T} T{
HMAC\-SHA\-256
T} T{
AES256\-OCB
T} T{
AES256\-OCB
T}
_
T{
2022-04-14 19:13:46 +00:00
authenticated\-blake2
T} T{
BLAKE2b
T} T{
none
T} T{
BLAKE2b
2022-04-14 19:13:46 +00:00
T}
_
T{
authenticated
T} T{
HMAC\-SHA\-256
T} T{
2022-04-14 19:13:46 +00:00
none
T} T{
HMAC\-SHA256
T}
_
T{
none
T} T{
SHA\-256
T} T{
none
T} T{
none
T}
_
.TE
2017-06-18 10:13:28 +00:00
.\" nanorst: inline-replace
.
.sp
\fInone\fP mode uses no encryption and no authentication. You\(aqre advised NOT to use this mode
2022-04-14 19:13:46 +00:00
as it would expose you to all sorts of issues (DoS, confidentiality, tampering, ...) in
case of malicious activity in the repository.
.sp
2022-04-14 19:13:46 +00:00
If you do \fBnot\fP want to encrypt the contents of your backups, but still want to detect
malicious tampering use an \fIauthenticated\fP mode. It\(aqs like \fIrepokey\fP minus encryption.
2022-08-03 20:19:12 +00:00
.SS Creating a related repository
.sp
A related repository uses same secret key material as the other/original repository.
.sp
By default, only the ID key and chunker secret will be the same (these are important
for deduplication) and the AE crypto keys will be newly generated random keys.
.sp
2022-08-07 17:20:34 +00:00
Optionally, if you use \fB\-\-copy\-crypt\-key\fP you can also keep the same crypt_key
2022-08-03 20:19:12 +00:00
(used for authenticated encryption). Might be desired e.g. if you want to have less
keys to manage.
.sp
Creating related repositories is useful e.g. if you want to use \fBborg transfer\fP later.
2017-02-05 13:22:06 +00:00
.SH OPTIONS
.sp
See \fIborg\-common(1)\fP for common options of Borg commands.
2022-11-26 21:23:46 +00:00
.SS options
2017-02-05 13:22:06 +00:00
.INDENT 0.0
.TP
2022-06-23 23:19:19 +00:00
.BI \-\-other\-repo \ SRC_REPOSITORY
reuse the key material from the other repository
.TP
2020-10-04 18:33:08 +00:00
.BI \-e \ MODE\fR,\fB \ \-\-encryption \ MODE
2017-05-17 09:52:48 +00:00
select encryption key mode \fB(required)\fP
2017-02-05 13:22:06 +00:00
.TP
2022-06-23 23:19:19 +00:00
.B \-\-append\-only
2019-02-24 19:40:07 +00:00
create an append\-only mode repository. Note that this only affects the low level structure of the repository, and running \fIdelete\fP or \fIprune\fP will still be allowed. See \fIappend_only_mode\fP in Additional Notes for more details.
.TP
.BI \-\-storage\-quota \ QUOTA
Set storage quota of the new repository (e.g. 5G, 1.5T). Default: no quota.
2019-02-24 19:40:07 +00:00
.TP
2022-06-23 23:19:19 +00:00
.B \-\-make\-parent\-dirs
2019-02-24 19:40:07 +00:00
create the parent directories of the repository directory, if they are missing.
2022-08-03 20:19:12 +00:00
.TP
2022-08-07 17:20:34 +00:00
.B \-\-copy\-crypt\-key
copy the crypt_key (used for authenticated encryption) from the key of the other repo (default: new random key).
2017-02-05 13:22:06 +00:00
.UNINDENT
.SH EXAMPLES
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
2022-06-23 23:19:19 +00:00
# Local repository
$ export BORG_REPO=/path/to/repo
# recommended repokey AEAD crypto modes
$ borg rcreate \-\-encryption=repokey\-aes\-ocb
$ borg rcreate \-\-encryption=repokey\-chacha20\-poly1305
$ borg rcreate \-\-encryption=repokey\-blake2\-aes\-ocb
$ borg rcreate \-\-encryption=repokey\-blake2\-chacha20\-poly1305
# no encryption, not recommended
$ borg rcreate \-\-encryption=authenticated
2022-08-03 20:19:12 +00:00
$ borg rcreate \-\-encryption=authenticated\-blake2
2022-06-23 23:19:19 +00:00
$ borg rcreate \-\-encryption=none
2017-02-05 13:22:06 +00:00
# Remote repository (accesses a remote borg via ssh)
2022-06-23 23:19:19 +00:00
$ export BORG_REPO=ssh://user@hostname/~/backup
2020-04-21 20:59:27 +00:00
# repokey: stores the (encrypted) key into <REPO_DIR>/config
2022-06-23 23:19:19 +00:00
$ borg rcreate \-\-encryption=repokey\-aes\-ocb
2020-04-21 20:59:27 +00:00
# keyfile: stores the (encrypted) key into ~/.config/borg/keys/
2022-06-23 23:19:19 +00:00
$ borg rcreate \-\-encryption=keyfile\-aes\-ocb
2017-02-05 13:22:06 +00:00
.ft P
.fi
.UNINDENT
.UNINDENT
.SH SEE ALSO
.sp
2023-01-02 22:51:22 +00:00
\fIborg\-common(1)\fP, \fIborg\-rdelete(1)\fP, \fIborg\-rlist(1)\fP, \fIborg\-check(1)\fP, \fIborg\-benchmark\-cpu(1)\fP, \fIborg\-key\-import(1)\fP, \fIborg\-key\-export(1)\fP, \fIborg\-key\-change\-passphrase(1)\fP
2017-02-05 13:22:06 +00:00
.SH AUTHOR
The Borg Collective
.\" Generated by docutils manpage writer.
.