@@ -116,22 +116,27 @@ Encryption
116116AEAD modes
117117~~~~~~~~~~
118118
119- Modes: --encryption (repokey|keyfile)-[blake2-](aes-ocb|chacha20-poly1305)
119+ Modes: ``--encryption (aes256-ocb|chacha20-poly1305) `` plus
120+ ``--id-hash (sha256|blake3) ``
120121
121122Supported: borg 2.0+
122123
124+ The cipher is selected by ``--encryption `` (see :ref: `borg_repo-create `), the
125+ key storage location (repokey or keyfile) by ``--key-location ``, and the chunk
126+ ID hash function by ``--id-hash `` — these three are orthogonal.
127+
123128Encryption with these modes is based on AEAD ciphers (authenticated encryption
124129with associated data) and session keys.
125130
126- Depending on the chosen mode (see :ref: ` borg_repo-create `) different AEAD ciphers are used:
131+ Depending on the chosen mode different AEAD ciphers are used:
127132
128133- AES-256-OCB - super fast, single-pass algorithm IF you have hw accelerated AES.
129134- chacha20-poly1305 - very fast, purely software based AEAD cipher.
130135
131136The chunk ID is derived via a MAC over the plaintext (mac key taken from borg key):
132137
133- - HMAC-SHA256 - super fast IF you have hw accelerated SHA256 (see section "Encryption" below).
134- - Blake2b - very fast, purely software based algorithm.
138+ - HMAC-SHA256 (`` --id-hash sha256 ``) - super fast IF you have hw accelerated SHA256 (see section "Encryption" below).
139+ - keyed BLAKE3 (`` --id-hash blake3 ``) - very fast, purely software based algorithm.
135140
136141For each borg invocation, a new session id is generated by `os.urandom `_.
137142
@@ -177,8 +182,8 @@ Decryption::
177182Notable:
178183
179184- More modern and often faster AEAD ciphers instead of self-assembled stuff.
180- - Due to the usage of session keys, IVs (nonces) do not need special care here as
181- they did for the legacy encryption modes.
185+ - Due to the usage of session keys, which just start at 0 per session, IVs (nonces)
186+ do not need long-term special care here as they did for the legacy encryption modes.
182187- The id is now also input into the authentication tag computation.
183188 This strongly associates the id with the written data (== associates the key with
184189 the value). When later reading the data for some id, authentication will only
@@ -188,11 +193,14 @@ Notable:
188193Legacy modes
189194~~~~~~~~~~~~
190195
191- Modes: --encryption (repokey|keyfile)-[ blake2]
196+ Modes: `` --encryption (repokey|keyfile)[- blake2] ``
192197
193198Supported: borg < 2.0
194199
195- These were the AES-CTR based modes in previous borg versions.
200+ These were the AES-CTR based modes in previous borg versions, with the chunk ID
201+ derived via HMAC-SHA256 or (in the ``-blake2 `` variants) Blake2b. ``blake2b `` is
202+ only used by these legacy modes; new repositories use ``sha256 `` or ``blake3 ``
203+ (see above).
196204
197205borg 2.0 does not support creating new repos using these modes,
198206but ``borg transfer `` can still read such existing repos.
@@ -215,13 +223,30 @@ to Encrypt-*then*-MAC a packed representation of the keys using the
215223chacha20-poly1305 AEAD cipher and a constant IV == 0.
216224The ciphertext is then converted to base64.
217225
218- This base64 blob (commonly referred to as * keyblob *) is then stored in
219- the key file or in the repository config (keyfile and repokey modes
220- respectively) .
226+ This base64-encoded * borg key * is then stored in the key file or under the
227+ repository's `` keys/ `` namespace (keyfile and repokey modes respectively), named
228+ by the sha256 of its content .
221229
222230The use of a constant IV is secure because an identical passphrase will
223231result in a different derived KEK for every key encryption due to the salt.
224232
233+ .. _borgcrypto_multiple_keys :
234+
235+ Multiple borg keys
236+ ~~~~~~~~~~~~~~~~~~
237+
238+ A repository (or a client-side keyfile directory) may hold *multiple * borg keys,
239+ each encrypted with its own passphrase but all wrapping the **same ** underlying
240+ key material. This lets several people access a shared repository with
241+ independent passphrases, without sharing one secret. Or you can add borg keys
242+ for redundant, more fault-tolerant storage.
243+
244+ keyfile and repokey borg keys use the same format and the same sha256-content
245+ naming; borg locates a borg key independently of its key type byte and tries each
246+ available one against the supplied passphrase until one decrypts. A borg key may
247+ carry a label for management. The constant-IV argument above still holds, because
248+ each borg key has its own random argon2 salt and therefore a distinct derived KEK.
249+
225250
226251.. seealso ::
227252
@@ -239,13 +264,16 @@ on widely used libraries providing them:
239264 We think this is not an additional risk, since we don't ever
240265 use OpenSSL's networking, TLS or X.509 code, but only their
241266 primitives implemented in libcrypto.
242- - SHA-256, SHA-512 and BLAKE2b from Python's hashlib _ standard library module are used.
267+ - SHA-256 and SHA-512 from Python's hashlib _ standard library module are used.
268+ - BLAKE3 is used via the blake3 _ package (new repos, ``--id-hash blake3 ``).
269+ - BLAKE2b from Python's hashlib _ is only used to read legacy (borg < 2.0) repos.
243270- HMAC and a constant-time comparison from Python's hmac _ standard library module are used.
244271- argon2 is used via argon2-cffi.
245272
246273.. _Horton principle : https://en.wikipedia.org/wiki/Horton_Principle
247274.. _length extension : https://en.wikipedia.org/wiki/Length_extension_attack
248275.. _hashlib : https://docs.python.org/3/library/hashlib.html
276+ .. _blake3 : https://pypi.org/project/blake3/
249277.. _hmac : https://docs.python.org/3/library/hmac.html
250278.. _os.urandom : https://docs.python.org/3/library/os.html#os.urandom
251279
0 commit comments