borg key change-passphrase
**************************

   borg [common options] key change-passphrase [options] [REPOSITORY]


Description
===========

The key files used for repository encryption are optionally
passphrase- protected. This command can be used to change this
passphrase.

Please note that this command only changes the passphrase, but not any
secret protected by it (e.g., encryption/MAC keys or the chunker
seed). Thus, changing the passphrase after the passphrase and Borg key
were compromised does not protect future (nor past) backups to the
same repository.


Examples
========

   # Create a key file protected repository
   $ borg init --encryption=keyfile -v /path/to/repo
   Initializing repository at "/path/to/repo"
   Enter new passphrase:
   Enter same passphrase again:
   Remember your passphrase. Your data will be inaccessible without it.
   Key in "/root/.config/borg/keys/mnt_backup" created.
   Keep this key safe. Your data will be inaccessible without it.
   Synchronizing chunks cache...
   Archives: 0, w/ cached Idx: 0, w/ outdated Idx: 0, w/o cached Idx: 0.
   Done.

   # Change key file passphrase
   $ borg key change-passphrase -v /path/to/repo
   Enter passphrase for key /root/.config/borg/keys/mnt_backup:
   Enter new passphrase:
   Enter same passphrase again:
   Remember your passphrase. Your data will be inaccessible without it.
   Key updated

   # Import a previously-exported key into the specified
   # key file (creating or overwriting the output key)
   # (keyfile repositories only)
   $ BORG_KEY_FILE=/path/to/output-key borg key import /path/to/repo /path/to/exported

Fully automated using environment variables:

   $ BORG_NEW_PASSPHRASE=old borg init -e=repokey repo
   # now "old" is the current passphrase.
   $ BORG_PASSPHRASE=old BORG_NEW_PASSPHRASE=new borg key change-passphrase repo
   # now "new" is the current passphrase.


borg key export
***************

   borg [common options] key export [options] [REPOSITORY] [PATH]


Description
===========

If repository encryption is used, the repository is inaccessible
without the key. This command allows one to back up this essential
key. Note that the backup produced does not include the passphrase
itself (i.e., the exported key stays encrypted). In order to regain
access to a repository, one needs both the exported key and the
original passphrase.

There are three backup formats. The normal backup format is suitable
for digital storage as a file. The "--paper" backup format is
optimized for printing and typing in while importing, with per-line
checks to reduce problems with manual input. The "--qr-html" option
creates a printable HTML template with a QR code and a copy of the "--
paper"-formatted key.

For repositories using keyfile encryption the key is saved locally on
the system that is capable of doing backups. To guard against loss of
this key, the key needs to be backed up independently of the main data
backup.

For repositories using repokey encryption, the key is saved in the
repository in the config file. A backup is thus not strictly needed,
but it guards against the repository becoming inaccessible if the file
is damaged for some reason.

Examples:

   borg key export /path/to/repo > encrypted-key-backup
   borg key export --paper /path/to/repo > encrypted-key-backup.txt
   borg key export --qr-html /path/to/repo > encrypted-key-backup.html
   # Or pass the output file as an argument instead of redirecting stdout:
   borg key export /path/to/repo encrypted-key-backup
   borg key export --paper /path/to/repo encrypted-key-backup.txt
   borg key export --qr-html /path/to/repo encrypted-key-backup.html


borg key import
***************

   borg [common options] key import [options] [REPOSITORY] [PATH]


Description
===========

This command restores a key previously backed up with the export
command.

If the "--paper" option is given, the import will be an interactive
process in which each line is checked for plausibility before
proceeding to the next line. For this format, PATH must not be
provided.

For repositories using keyfile encryption, the key file which "borg
key import" writes to depends on several factors. If the
"BORG_KEY_FILE" environment variable is set and non-empty, "borg key
import" creates or overwrites the file named by "$BORG_KEY_FILE".
Otherwise, "borg key import" searches in the "$BORG_KEYS_DIR"
directory for a key file associated with the repository. If a key file
is found in "$BORG_KEYS_DIR", "borg key import" overwrites it;
otherwise, "borg key import" creates a new key file in
"$BORG_KEYS_DIR".
