Encryption advice: Safety repokey vs. keyfile / reuse key or key password

[deermo]

This is a question. I'm planning a backup strategy based on borg. I have to backup two different machines to three different locations. As I consider the destinations untrusted, I want to encrypt my backup. This comes with the downside of having to backup the passwords / keys / location information in a seperate location, as these might get lost when my machine breaks. For backing up these information, it would be conventient to have as little as possible "pieces" to backup. This is where my questions arise. I did not find good answers to these questions (if my search strategy failed, I apologize).

1. I can choose between repokey, keyfile with password and keyfile without password. From an encryption perspective, can any of these be considered "safer" (when choosing and adequately safe password)?
2. To reduce the amount of passwords I have to store, one option could be reusing the same password for multiple keys (keyfile or repokey mode), or even across different machines (i.e. one password for all 6 keys (2 machines x 3 locations) up to 6 passwords for 6 keys). I feel that this option leads to security issues, but did not find a reliable source for this. Can you comment on this?

Have you checked borgbackup docs, FAQ, and open Github issues?

Yes

Is this a BUG / ISSUE report or a QUESTION?

Question

System information. For client/server mode post info for both machines.

Client: MacBook
Server: Synology, Hetzner Storage Box

Your borg version (borg -V).

1.1.13

Operating system (distribution) and version.

macOS

[fantasya-pbem]

This is a good question. I feel that we can generate a new FAQ from the answer.

As a first hint, the docs for borg init and the existing FAQ may provide answers. The security internals may have some answers, too.

[ThomasWaldmann]

for that scenario, you should use 1 repo per client for better security.

ad 1:

a key that is not protected by a passphrase is less safe than one that is (because if it is, you can not use it without also knowing the passphrase).

repokey vs. keyfile is a matter of key storage location:

• repokey is stored in the repository directory
• keyfile is stored in the home directory on the client

keyfile is maybe a bit more secure (if you trust your client more than your repo server, see borg's threat model), but can also be less safe at the same time (because if you totally lose your client [theft, SSD dies, lightning, ...], you also lose your keyfile).

repokey has the key in the repository directory, so as long as you do not lose your repo, you likely also do not lose your key. there's a small chance to still lose it though, e.g. in case of a software or hardware bug or whatever.

so you'll need key backups in both cases.

also, if you passphrase protect the repokey, just having the repokey is not enough for an attacker to use it as they can't open it as they don't know the passphrase.

i think this is all more or less covered in our docs, if something is missing, a PR would be welcome.

ad 2:

reusing passwords is usually a bad idea and the more often you reuse the same password, the worse it gets should it be disclosed. this is a very fundamental thing and has nothing to do with how borg works.

considering that you usually need the plaintext passphrase at backup time to open the key and you usually want to automate this, there is no interactive password typing, but the password is either in some file or keyring or pw manager. should that one machine be compromised somehow and the password works also for other borg instances, you'ld have an avoidable escalation of damage.
also, if it is automated anyway, there's not much point in reusing the same password (no need to manually type it in).

you need a (per repo) key backup anyway, so also having to backup the password doesn't make this significantly
more difficult.

borg even offers a printable key backup.

[fantasya-pbem]

There is not "the answer" to this question. If you want to automate backups, your passwords have to be saved in plain text somewhere. If you don't want that, you can't automate the backup with password-protected keys.

1. „I do not trust the backup server.“
   Then you should not use repokey mode, especially without protecting with a password. Use keyfile mode.
2. „I do not trust the server, but I want my get to be stored with the backup.”
   Use repokey with a unique password.
3. „I am the only one who controls my backup server and want key-in-repo.”
   Use repokey. You may choose not to protect the key with a password, to keep automation easier.
4. „If my backup repo breaks, the keyfile is useless anyway.”
   Use repokey if you can afford to loose the backup.
5. „I want to keep the keys for several backups at one safe place.”
   Use keyfile mode for all your backups, and make backups of them. You may not need them password-protected.
6. „I want maximum security.”
   Use keyfile with unique password, and keep some keyfile backups at other places.

[deermo]

Thank you very much for your comprehensive answers. I will go with keyfile with different passwords, as I have to backup the key anyway when using repokey (I did not consider this before). The printable key backup is very useful for this, very cool feature!