borg init --encryption=keyfile /path/to/repo borg create -C lz4 /path/to/repo::NAME-YOUR-BACKUP ~/Documents
Before you start creating backups, please make sure that there is always a good amount of free space on the filesystem that has your backup repository (and also on ~/.cache).
Default enabled with
borg init --encryption=none|repokey|keyfile PATH
When repository encryption is enabled, all data is encrypted using 256-bit AES encryption and the integrity and authenticity is verified using HMAC-SHA256.
repokey: key is stored inside the repository (
keyfile: key is stored under
In both modes, the key is stored in encrypted form and can be only decrypted by providing the correct passphrase.
Do not forget to backup the key (e.g. via
borg key export).
For automated backups the passphrase can be specified using the BORG_PASSPHRASE environment variable.
Be careful how you set the environment;
using the env command, a
system() call or using inline shell scripts
might expose the credentials in the process list directly
and they will be readable to all users on a system.
export in a shell script file should be safe, however,
as the environment of a process is accessible only to that user.
Also, using a shell command may leak the passphrase in shell history file.
For server backup, have a look at borgmatic.
borg create --compression TYPE
Default is no compression.
lz4 is very fast thus preferred.
lzma is preferred when the repository is on a remote host with slow (dial-up) connection.
borg upgrade --inplace REPOSITORY
If a backup copy is required, omit the