1
0
Fork 0
mirror of https://github.com/borgbackup/borg.git synced 2024-12-25 17:27:31 +00:00

Argon2 the third part: borg key change-algorithm (#6549)

add `borg key change-algorithm` to change the kdf / key processing
This commit is contained in:
Andrey Andreyevich Bienkowski 2022-04-09 10:42:05 +00:00 committed by GitHub
parent 1a9841347a
commit d386b0346d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 43 additions and 0 deletions

View file

@ -421,6 +421,15 @@ def do_change_location(self, args, repository, manifest, key, cache):
return EXIT_SUCCESS
@with_repository(exclusive=True, compatibility=(Manifest.Operation.CHECK,))
def do_change_algorithm(self, args, repository, manifest, key):
"""Change repository key algorithm"""
if not hasattr(key, 'change_passphrase'):
print('This repository is not encrypted, cannot change the algorithm.')
return EXIT_ERROR
key.save(key.target, key._passphrase, algorithm=KEY_ALGORITHMS[args.algorithm])
return EXIT_SUCCESS
@with_repository(lock=False, exclusive=False, manifest=False, cache=False)
def do_key_export(self, args, repository):
"""Export the repository key for backup"""
@ -4455,6 +4464,30 @@ def define_borg_mount(parser):
subparser.add_argument('--keep', dest='keep', action='store_true',
help='keep the key also at the current location (default: remove it)')
change_algorithm_epilog = process_epilog("""
Change the algorithm we use to encrypt and authenticate the borg key.
Your repository is encrypted and authenticated with a key that is randomly generated by ``borg init``.
The key is encrypted and authenticated with your passphrase.
We currently support two choices:
1. argon2 - recommended. This algorithm is used by default when initialising a new repository.
The key encryption key is derived from your passphrase via argon2-id.
Argon2 is considered more modern and secure than pbkdf2.
1. pbkdf2 - the legacy algorithm. Use this if you want to access your repo via old versions of borg.
The key encryption key is derived from your passphrase via PBKDF2-HMAC-SHA256.
""")
subparser = key_parsers.add_parser('change-algorithm', parents=[common_parser], add_help=False,
description=self.do_change_algorithm.__doc__,
epilog=change_algorithm_epilog,
formatter_class=argparse.RawDescriptionHelpFormatter,
help='change key algorithm')
subparser.set_defaults(func=self.do_change_algorithm)
subparser.add_argument('location', metavar='REPOSITORY', nargs='?', default='',
type=location_validator(archive=False))
subparser.add_argument('algorithm', metavar='ALGORITHM', choices=list(KEY_ALGORITHMS),
help='select key algorithm')
# borg list
list_epilog = process_epilog("""
This command lists the contents of a repository or an archive.

View file

@ -3630,6 +3630,16 @@ def test_change_location_does_not_change_algorithm_argon2(self):
def test_change_location_does_not_change_algorithm_pbkdf2(self):
self.verify_change_location_does_not_change_algorithm('pbkdf2', b'sha256')
def test_key_change_algorithm(self):
self.cmd('init', '--encryption=repokey', '--key-algorithm=pbkdf2', self.repository_location)
self.cmd('key', 'change-algorithm', self.repository_location, 'argon2')
with Repository(self.repository_path) as repository:
_, key = Manifest.load(repository, Manifest.NO_OPERATION_CHECK)
assert key._encrypted_key_algorithm == 'argon2 aes256-ctr hmac-sha256'
self.cmd('info', self.repository_location)
@unittest.skipUnless('binary' in BORG_EXES, 'no borg.exe available')
class ArchiverTestCaseBinary(ArchiverTestCase):