borg key change-passphrase¶

borg [common options] key change-passphrase [options] [REPOSITORY]

positional arguments
	`REPOSITORY`
Common options

Description¶

The key files used for repository encryption are optionally passphrase- protected. This command can be used to change this passphrase.

Please note that this command only changes the passphrase, but not any secret protected by it (e.g., encryption/MAC keys or the chunker seed). Thus, changing the passphrase after the passphrase and Borg key were compromised does not protect future (nor past) backups to the same repository.

Examples¶

# Create a key file protected repository
$ borg init --encryption=keyfile -v /path/to/repo
Initializing repository at "/path/to/repo"
Enter new passphrase:
Enter same passphrase again:
Remember your passphrase. Your data will be inaccessible without it.
Key in "/root/.config/borg/keys/mnt_backup" created.
Keep this key safe. Your data will be inaccessible without it.
Synchronizing chunks cache...
Archives: 0, w/ cached Idx: 0, w/ outdated Idx: 0, w/o cached Idx: 0.
Done.

# Change key file passphrase
$ borg key change-passphrase -v /path/to/repo
Enter passphrase for key /root/.config/borg/keys/mnt_backup:
Enter new passphrase:
Enter same passphrase again:
Remember your passphrase. Your data will be inaccessible without it.
Key updated

# Import a previously-exported key into the specified
# key file (creating or overwriting the output key)
# (keyfile repositories only)
$ BORG_KEY_FILE=/path/to/output-key borg key import /path/to/repo /path/to/exported

Fully automated using environment variables:

$ BORG_NEW_PASSPHRASE=old borg init -e=repokey repo
# now "old" is the current passphrase.
$ BORG_PASSPHRASE=old BORG_NEW_PASSPHRASE=new borg key change-passphrase repo
# now "new" is the current passphrase.

borg key export¶

borg [common options] key export [options] [REPOSITORY] [PATH]

positional arguments
	`REPOSITORY`
	`PATH`	where to store the backup
options
	`--paper`	Create an export suitable for printing and later type-in
	`--qr-html`	Create an html file suitable for printing and later type-in or qr scan
Common options

Description¶

This command backs up the borg key.

If repository encryption is used, the repository is inaccessible without the borg key (and the passphrase that protects the borg key). If a repository is not encrypted, but authenticated, the borg key is still needed to access the repository normally.

For repositories using keyfile encryption the key is kept locally on the system that is capable of doing backups. To guard against loss or corruption of this key, the key needs to be backed up independently of the main data backup.

For repositories using repokey encryption or authenticated mode the key is kept in the repository. A backup is thus not strictly needed, but guards against the repository becoming inaccessible if the key is corrupted or lost.

Note that the backup produced does not include the passphrase itself (i.e. the exported key stays encrypted). In order to regain access to a repository, one needs both the exported key and the original passphrase. Keep the exported key and the passphrase at safe places.

There are three backup formats. The normal backup format is suitable for digital storage as a file. The --paper backup format is optimized for printing and typing in while importing, with per line checks to reduce problems with manual input. The --qr-html creates a printable HTML template with a QR code and a copy of the --paper-formatted key.

Examples:

borg key export /path/to/repo > encrypted-key-backup
borg key export --paper /path/to/repo > encrypted-key-backup.txt
borg key export --qr-html /path/to/repo > encrypted-key-backup.html
# Or pass the output file as an argument instead of redirecting stdout:
borg key export /path/to/repo encrypted-key-backup
borg key export --paper /path/to/repo encrypted-key-backup.txt
borg key export --qr-html /path/to/repo encrypted-key-backup.html

borg key import¶

borg [common options] key import [options] [REPOSITORY] [PATH]

positional arguments
	`REPOSITORY`
	`PATH`	path to the backup (‘-’ to read from stdin)
options
	`--paper`	interactively import from a backup done with `--paper`
Common options

Description¶

This command restores a key previously backed up with the export command.

If the --paper option is given, the import will be an interactive process in which each line is checked for plausibility before proceeding to the next line. For this format, PATH must not be provided.

For repositories using keyfile encryption, the key file which borg key import writes to depends on several factors. If the BORG_KEY_FILE environment variable is set and non-empty, borg key import creates or overwrites the file named by $BORG_KEY_FILE. Otherwise, borg key import searches in the $BORG_KEYS_DIR directory for a key file associated with the repository. If a key file is found in $BORG_KEYS_DIR, borg key import overwrites it; otherwise, borg key import creates a new key file in $BORG_KEYS_DIR.