search

enzingerm / snapborg

Synchronize snapper snapshots to a borg repository
GNU General Public License v3.0
31 stars 5 forks source link

Bug: No support for repokey-blake2 #29

Closed Zelec closed 6 months ago

Zelec commented 6 months ago

Currently testing snapborg to see if it will fit better for my usecase than manually snapshotting and using borgmatic directly,

In borg 1.1 repokey-blake2 was added to take advantage at how newer processors were able to process Blake2b faster than SHA256 https://borgbackup.readthedocs.io/en/stable/usage/init.html#more-encryption-modes

Got this bug when I attempted to set the encryption to "repokey-blake2"

# snapborg init
Traceback (most recent call last):
  File "/usr/bin/snapborg", line 33, in <module>
    sys.exit(load_entry_point('snapborg==0.1.0', 'console_scripts', 'snapborg')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/snapborg/commands/snapborg.py", line 73, in main
    init(cfg, snapper_configs=configs, dryrun=args.dryrun)
  File "/usr/lib/python3.11/site-packages/snapborg/commands/snapborg.py", line 241, in init
    BorgRepo.create_from_config(config).init(dryrun=dryrun)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/snapborg/borg.py", line 120, in create_from_config
    raise Exception("Invalid or unsupported encryption mode given!")
Exception: Invalid or unsupported encryption mode given!

From a rudimentary look, it looks like an edit on line 117 in borg.py would need to be added to have the elif evaluate for either repokey or repokey-blake2

I haven't done an extensive look to ensure this is the only spot that needs changing, but I may take this upon myself to test & work out if that is all that is needed and put in a PR.

Zelec commented 6 months ago

After a simple edit to change that elif line to say elif encryption == "repokey" or encryption == "repokey-blake2": so far it appears to have done the trick.

# snapborg init
$ borg init --encryption repokey-blake2 --make-parent-dirs ssh://user@server:/~/Backups/borg/Laptop

By default repositories initialized with this version will produce security
errors if written to with an older version (up to and including Borg 1.0.8).

If you want to use these older versions, you can disable the check by running:
borg upgrade --disable-tam ssh://user@server:/~/Backups/borg/Laptop

See https://borgbackup.readthedocs.io/en/stable/changes.html#pre-1-0-9-manifest-spoofing-vulnerability for details about the security implications.

IMPORTANT: you will need both KEY AND PASSPHRASE to access this repo!
If you used a repokey mode, the key is stored in the repo, but you should back it up separately.
Use "borg key export" to export the key, optionally in printable format.
Write down the passphrase. Store both at safe place(s).
# snapborg backup
Backing up snapshots for snapper config 'root'...
Backing up snapshot number 15 from 2024-01-14T13:00:05...
$ borg create --one-file-system --stats --exclude-caches --checkpoint-interval 600 --compression auto,zstd,4 --timestamp 2024-01-14T13:00:05 --progress ssh://user@server:/~/Backups/borg/Laptop::root-15-2024-01-14T13:00:05 .

I'll create a proper PR shortly

Zelec commented 6 months ago

Solved by PR https://github.com/enzingerm/snapborg/pull/30