diff options
Diffstat (limited to 'docs/man/borg-init.1')
| -rw-r--r-- | docs/man/borg-init.1 | 31 |
1 files changed, 20 insertions, 11 deletions
diff --git a/docs/man/borg-init.1 b/docs/man/borg-init.1 index e25b9ca17..9576afa8d 100644 --- a/docs/man/borg-init.1 +++ b/docs/man/borg-init.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH BORG-INIT 1 "2017-06-11" "" "borg backup tool" +.TH BORG-INIT 1 "2017-06-18" "" "borg backup tool" .SH NAME borg-init \- Initialize an empty repository . @@ -81,6 +81,8 @@ a different keyboard layout. You can change your passphrase for existing repos at any time, it won\(aqt affect the encryption/decryption key or other secrets. .SS Encryption modes +.\" nanorst: inline-fill +. .TS center; |l|l|l|l|. @@ -103,9 +105,10 @@ SHA\-256 T} T{ none T} T{ -authenticated +\fIauthenticated\fP T} T{ -repokey, keyfile +repokey +keyfile T} _ T{ @@ -113,17 +116,22 @@ BLAKE2b T} T{ n/a T} T{ -authenticated\-blake2 +\fIauthenticated\-blake2\fP T} T{ -repokey\-blake2, -keyfile\-blake2 +\fIrepokey\-blake2\fP +\fIkeyfile\-blake2\fP T} _ .TE +.\" nanorst: inline-replace +. +.sp +\fIMarked modes\fP are new in Borg 1.1 and are not backwards\-compatible with Borg 1.0.x. .sp On modern Intel/AMD CPUs (except very cheap ones), AES is usually hardware\-accelerated. -BLAKE2b is faster than SHA256 on Intel/AMD 64\-bit CPUs, +BLAKE2b is faster than SHA256 on Intel/AMD 64\-bit CPUs +(except AMD Ryzen and future CPUs with SHA extensions), which makes \fIauthenticated\-blake2\fP faster than \fInone\fP and \fIauthenticated\fP\&. .sp On modern ARM CPUs, NEON provides hardware acceleration for SHA256 making it faster @@ -134,7 +142,7 @@ Hardware acceleration is always used automatically when available. \fIrepokey\fP and \fIkeyfile\fP use AES\-CTR\-256 for encryption and HMAC\-SHA256 for authentication in an encrypt\-then\-MAC (EtM) construction. The chunk ID hash is HMAC\-SHA256 as well (with a separate key). -These modes are compatible with borg 1.0.x. +These modes are compatible with Borg 1.0.x. .sp \fIrepokey\-blake2\fP and \fIkeyfile\-blake2\fP are also authenticated encryption modes, but use BLAKE2b\-256 instead of HMAC\-SHA256 for authentication. The chunk ID @@ -144,7 +152,7 @@ These modes are new and \fInot\fP compatible with Borg 1.0.x. \fIauthenticated\fP mode uses no encryption, but authenticates repository contents through the same HMAC\-SHA256 hash as the \fIrepokey\fP and \fIkeyfile\fP modes (it uses it as the chunk ID hash). The key is stored like \fIrepokey\fP\&. -This mode is new and \fInot\fP compatible with borg 1.0.x. +This mode is new and \fInot\fP compatible with Borg 1.0.x. .sp \fIauthenticated\-blake2\fP is like \fIauthenticated\fP, but uses the keyed BLAKE2b\-256 hash from the other blake2 modes. @@ -152,7 +160,8 @@ This mode is new and \fInot\fP compatible with Borg 1.0.x. .sp \fInone\fP mode uses no encryption and no authentication. It uses SHA256 as chunk ID hash. Not recommended, rather consider using an authenticated or -authenticated/encrypted mode. +authenticated/encrypted mode. This mode has possible denial\-of\-service issues +when running \fBborg create\fP on contents controlled by an attacker. Use it only for new repositories where no encryption is wanted \fBand\fP when compatibility with 1.0.x is important. If compatibility with 1.0.x is not important, use \fIauthenticated\-blake2\fP or \fIauthenticated\fP instead. @@ -172,7 +181,7 @@ repository to create .B \-e\fP,\fB \-\-encryption select encryption key mode \fB(required)\fP .TP -.B \-a\fP,\fB \-\-append\-only +.B \-\-append\-only create an append\-only mode repository .TP .B \-\-storage\-quota |