diff --git a/docs/usage/rcreate.rst b/docs/usage/rcreate.rst index 985c29c3..15b82bdb 100644 --- a/docs/usage/rcreate.rst +++ b/docs/usage/rcreate.rst @@ -15,6 +15,7 @@ Examples $ borg rcreate --encryption=repokey-blake2-chacha20-poly1305 # no encryption, not recommended $ borg rcreate --encryption=authenticated + $ borg rcreate --encryption=authenticated-blake2 $ borg rcreate --encryption=none # Remote repository (accesses a remote borg via ssh) diff --git a/src/borg/archiver/rcreate.py b/src/borg/archiver/rcreate.py index 7fb0854c..24dbb007 100644 --- a/src/borg/archiver/rcreate.py +++ b/src/borg/archiver/rcreate.py @@ -80,7 +80,7 @@ class RCreateMixIn: have the key and know the passphrase. Make sure to keep a backup of your key **outside** the repository - do not lock yourself out by "leaving your keys inside your car" (see :ref:`borg_key_export`). - For remote backups the encryption is done locally - the remote machine + The encryption is done locally - if you use a remote repository, the remote machine never sees your passphrase, your unencrypted key or your unencrypted files. Chunking and id generation are also based on your key to improve your privacy. @@ -125,27 +125,23 @@ class RCreateMixIn: .. nanorst: inline-fill - +-----------------------------------+--------------+----------------+--------------------+---------+ - | Mode (K = keyfile or repokey) | ID-Hash | Encryption | Authentication | V >= | - +-----------------------------------+--------------+----------------+--------------------+---------+ - | K-blake2-chacha20-poly1305 | BLAKE2b | CHACHA20 | POLY1305 | 2.0 | - +-----------------------------------+--------------+----------------+--------------------+---------+ - | K-chacha20-poly1305 | HMAC-SHA-256 | CHACHA20 | POLY1305 | 2.0 | - +-----------------------------------+--------------+----------------+--------------------+---------+ - | K-blake2-aes-ocb | BLAKE2b | AES256-OCB | AES256-OCB | 2.0 | - +-----------------------------------+--------------+----------------+--------------------+---------+ - | K-aes-ocb | HMAC-SHA-256 | AES256-OCB | AES256-OCB | 2.0 | - +-----------------------------------+--------------+----------------+--------------------+---------+ - | K-blake2 | BLAKE2b | AES256-CTR | BLAKE2b | 1.1 | - +-----------------------------------+--------------+----------------+--------------------+---------+ - | K | HMAC-SHA-256 | AES256-CTR | HMAC-SHA256 | any | - +-----------------------------------+--------------+----------------+--------------------+---------+ - | authenticated-blake2 | BLAKE2b | none | BLAKE2b | 1.1 | - +-----------------------------------+--------------+----------------+--------------------+---------+ - | authenticated | HMAC-SHA-256 | none | HMAC-SHA256 | 1.1 | - +-----------------------------------+--------------+----------------+--------------------+---------+ - | none | SHA-256 | none | none | any | - +-----------------------------------+--------------+----------------+--------------------+---------+ + +-----------------------------------+--------------+----------------+--------------------+ + | Mode (K = keyfile or repokey) | ID-Hash | Encryption | Authentication | + +-----------------------------------+--------------+----------------+--------------------+ + | K-blake2-chacha20-poly1305 | BLAKE2b | CHACHA20 | POLY1305 | + +-----------------------------------+--------------+----------------+--------------------+ + | K-chacha20-poly1305 | HMAC-SHA-256 | CHACHA20 | POLY1305 | + +-----------------------------------+--------------+----------------+--------------------+ + | K-blake2-aes-ocb | BLAKE2b | AES256-OCB | AES256-OCB | + +-----------------------------------+--------------+----------------+--------------------+ + | K-aes-ocb | HMAC-SHA-256 | AES256-OCB | AES256-OCB | + +-----------------------------------+--------------+----------------+--------------------+ + | authenticated-blake2 | BLAKE2b | none | BLAKE2b | + +-----------------------------------+--------------+----------------+--------------------+ + | authenticated | HMAC-SHA-256 | none | HMAC-SHA256 | + +-----------------------------------+--------------+----------------+--------------------+ + | none | SHA-256 | none | none | + +-----------------------------------+--------------+----------------+--------------------+ .. nanorst: inline-replace @@ -156,6 +152,19 @@ class RCreateMixIn: If you do **not** want to encrypt the contents of your backups, but still want to detect malicious tampering use an `authenticated` mode. It's like `repokey` minus encryption. + Creating a related repository + +++++++++++++++++++++++++++++ + + A related repository uses same secret key material as the other/original repository. + + By default, only the ID key and chunker secret will be the same (these are important + for deduplication) and the AE crypto keys will be newly generated random keys. + + Optionally, if you use ``--copy-ae-key`` you can also keep the same AE crypto keys + (used for authenticated encryption). Might be desired e.g. if you want to have less + keys to manage. + + Creating related repositories is useful e.g. if you want to use ``borg transfer`` later. """ ) subparser = subparsers.add_parser(