borg [common options] key change-passphrase [options] [REPOSITORY]
positional arguments | ||
REPOSITORY |
||
The key files used for repository encryption are optionally passphrase protected. This command can be used to change this passphrase.
Please note that this command only changes the passphrase, but not any secret protected by it (like e.g. encryption/MAC keys or chunker seed). Thus, changing the passphrase after passphrase and borg key got compromised does not protect future (nor past) backups to the same repository.
# Create a key file protected repository
$ borg init --encryption=keyfile -v /path/to/repo
Initializing repository at "/path/to/repo"
Enter new passphrase:
Enter same passphrase again:
Remember your passphrase. Your data will be inaccessible without it.
Key in "/root/.config/borg/keys/mnt_backup" created.
Keep this key safe. Your data will be inaccessible without it.
Synchronizing chunks cache...
Archives: 0, w/ cached Idx: 0, w/ outdated Idx: 0, w/o cached Idx: 0.
Done.
# Change key file passphrase
$ borg key change-passphrase -v /path/to/repo
Enter passphrase for key /root/.config/borg/keys/mnt_backup:
Enter new passphrase:
Enter same passphrase again:
Remember your passphrase. Your data will be inaccessible without it.
Key updated
Fully automated using environment variables:
$ BORG_NEW_PASSPHRASE=old borg init -e=repokey repo
# now "old" is the current passphrase.
$ BORG_PASSPHRASE=old BORG_NEW_PASSPHRASE=new borg key change-passphrase repo
# now "new" is the current passphrase.
borg [common options] key export [options] [REPOSITORY] [PATH]
positional arguments | ||
REPOSITORY |
||
PATH |
where to store the backup | |
optional arguments | ||
--paper |
Create an export suitable for printing and later type-in | |
--qr-html |
Create an html file suitable for printing and later type-in or qr scan | |
If repository encryption is used, the repository is inaccessible without the key. This command allows to backup this essential key. Note that the backup produced does not include the passphrase itself (i.e. the exported key stays encrypted). In order to regain access to a repository, one needs both the exported key and the original passphrase.
There are two backup formats. The normal backup format is suitable for
digital storage as a file. The --paper
backup format is optimized
for printing and typing in while importing, with per line checks to
reduce problems with manual input.
For repositories using keyfile encryption the key is saved locally on the system that is capable of doing backups. To guard against loss of this key, the key needs to be backed up independently of the main data backup.
For repositories using the repokey encryption the key is saved in the repository in the config file. A backup is thus not strictly needed, but guards against the repository becoming inaccessible if the file is damaged for some reason.
borg [common options] key import [options] [REPOSITORY] [PATH]
positional arguments | ||
REPOSITORY |
||
PATH |
path to the backup (‘-’ to read from stdin) | |
optional arguments | ||
--paper |
interactively import from a backup done with --paper |
|
This command allows to restore a key previously backed up with the export command.
If the --paper
option is given, the import will be an interactive
process in which each line is checked for plausibility before
proceeding to the next line. For this format PATH must not be given.