This is the command borgbackup that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator
PROGRAM:
NAME
borg - BorgBackup is a deduplicating backup program with optional compression and
authenticated encryption.
Borg consists of a number of commands. Each command accepts a number of arguments and
options. The following sections will describe each command in detail.
GENERAL
Type of log output
The log level of the builtin logging configuration defaults to WARNING. This is because
we want Borg to be mostly silent and only output warnings, errors and critical messages.
Log levels: DEBUG < INFO < WARNING < ERROR < CRITICAL
Use --debug to set DEBUG log level - to get debug, info, warning, error and critical level
output.
Use --info (or -v or --verbose) to set INFO log level - to get info, warning, error and
critical level output.
Use --warning (default) to set WARNING log level - to get warning, error and critical
level output.
Use --error to set ERROR log level - to get error and critical level output.
Use --critical to set CRITICAL log level - to get critical level output.
While you can set misc. log levels, do not expect that every command will give different
output on different log levels - it's just a possibility.
WARNING:
Options --critical and --error are provided for completeness, their usage is not
recommended as you might miss important information.
WARNING:
While some options (like --stats or --list) will emit more informational messages, you
have to use INFO (or lower) log level to make them show up in log output. Use -v or a
logging configuration.
Return codes
Borg can exit with the following return codes (rc):
0 = success (logged as INFO)
1 = warning (operation reached its normal end, but there were warnings -
you should check the log, logged as WARNING)
2 = error (like a fatal error, a local or remote exception, the operation
did not reach its normal end, logged as ERROR)
128+N = killed by signal N (e.g. 137 == kill -9)
If you use --show-rc, the return code is also logged at the indicated level as the last
log entry.
Environment Variables
Borg uses some environment variables for automation:
General:
BORG_REPO
When set, use the value to give the default repository location. If a
command needs an archive parameter, you can abbreviate as ::archive. If a
command needs a repository parameter, you can either leave it away or
abbreviate as ::, if a positional parameter is required.
BORG_PASSPHRASE
When set, use the value to answer the passphrase question for encrypted
repositories.
BORG_DISPLAY_PASSPHRASE
When set, use the value to answer the "display the passphrase for
verification" question when defining a new passphrase for encrypted
repositories.
BORG_LOGGING_CONF
When set, use the given filename as INI-style logging configuration.
BORG_RSH
When set, use this command instead of ssh. This can be used to specify ssh
options, such as a custom identity file ssh -i /path/to/private/key. See man
ssh for other options.
TMPDIR where temporary files are stored (might need a lot of temporary space for
some operations)
Some automatic answerers (if set, they automatically answer confirmation questions):
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes)
For "Warning: Attempting to access a previously unknown unencrypted
repository"
BORG_RELOCATED_REPO_ACCESS_IS_OK=no (or =yes)
For "Warning: The repository at location ... was previously located at ..."
BORG_CHECK_I_KNOW_WHAT_I_AM_DOING=NO (or =YES)
For "Warning: 'check --repair' is an experimental feature that might result
in data loss."
BORG_DELETE_I_KNOW_WHAT_I_AM_DOING=NO (or =YES)
For "You requested to completely DELETE the repository including all
archives it contains:"
Note: answers are case sensitive. setting an invalid answer value might either give
the default answer or ask you interactively, depending on whether retries are
allowed (they by default are allowed). So please test your scripts interactively
before making them a non-interactive script.
Directories:
BORG_KEYS_DIR
Default to '~/.config/borg/keys'. This directory contains keys for encrypted
repositories.
BORG_CACHE_DIR
Default to '~/.cache/borg'. This directory contains the local cache and
might need a lot of space for dealing with big repositories).
Building:
BORG_OPENSSL_PREFIX
Adds given OpenSSL header file directory to the default locations
(setup.py).
BORG_LZ4_PREFIX
Adds given LZ4 header file directory to the default locations (setup.py).
Please note:
· be very careful when using the "yes" sayers, the warnings with prompt exist for your /
your data's security/safety
· also be very careful when putting your passphrase into a script, make sure it has
appropriate file permissions (e.g. mode 600, root:root).
Resource Usage
Borg might use a lot of resources depending on the size of the data set it is dealing
with.
CPU: It won't go beyond 100% of 1 core as the code is currently single-threaded.
Especially higher zlib and lzma compression levels use significant amounts of CPU
cycles.
Memory (RAM):
The chunks index and the files index are read into memory for performance reasons.
Compression, esp. lzma compression with high levels might need substantial amounts
of memory.
Temporary files:
Reading data and metadata from a FUSE mounted repository will consume about the
same space as the deduplicated chunks used to represent them in the repository.
Cache files:
Contains the chunks index and files index (plus a compressed collection of
single-archive chunk indexes).
Chunks index:
Proportional to the amount of data chunks in your repo. Lots of chunks in your repo
imply a big chunks index. It is possible to tweak the chunker params (see create
options).
Files index:
Proportional to the amount of files in your last backup. Can be switched off (see
create options), but next backup will be much slower if you do.
Network:
If your repository is remote, all deduplicated (and optionally compressed/
encrypted) data of course has to go over the connection (ssh: repo url). If you
use a locally mounted network filesystem, additionally some copy operations used
for transaction support also go over the connection. If you backup multiple sources
to one target repository, additional traffic happens for cache resynchronization.
In case you are interested in more details, please read the internals documentation.
Units
To display quantities, Borg takes care of respecting the usual conventions of scale. Disk
sizes are displayed in decimal, using powers of ten (so kB means 1000 bytes). For memory
usage, binary prefixes are used, and are indicated using the IEC binary prefixes, using
powers of two (so KiB means 1024 bytes).
Date and Time
We format date and time conforming to ISO-8601, that is: YYYY-MM-DD and HH:MM:SS (24h
clock).
For more information about that, see: https://xkcd.com/1179/
Unless otherwise noted, we display local date and time. Internally, we store and process
date and time as UTC.
BORG INIT
usage: borg init [-h] [--critical] [--error] [--warning] [--info] [--debug]
[--lock-wait N] [--show-rc] [--no-files-cache] [--umask M]
[--remote-path PATH] [-e {none,keyfile,repokey}]
[REPOSITORY]
Initialize an empty repository
positional arguments:
REPOSITORY repository to create
optional arguments:
-h, --help show this help message and exit
--critical work on log level CRITICAL
--error work on log level ERROR
--warning work on log level WARNING (default)
--info, -v, --verbose
work on log level INFO
--debug work on log level DEBUG
--lock-wait N wait for the lock, but max. N seconds (default: 1).
--show-rc show/log the return code (rc)
--no-files-cache do not load/update the file metadata cache used to
detect unchanged files
--umask M set umask to M (local and remote, default: 0077)
--remote-path PATH set remote path to executable (default: "borg")
-e {none,keyfile,repokey}, --encryption {none,keyfile,repokey}
select encryption key mode (default: "repokey")
Description
This command initializes an empty repository. A repository is a filesystem directory
containing the deduplicated data from zero or more archives. Encryption can be enabled at
repository init time.
Examples
# Local repository (default is to use encryption in repokey mode)
$ borg init /path/to/repo
# Local repository (no encryption)
$ borg init --encryption=none /path/to/repo
# Remote repository (accesses a remote borg via ssh)
$ borg init user@hostname:backup
# Remote repository (store the key your home dir)
$ borg init --encryption=keyfile user@hostname:backup
Important notes about encryption:
It is not recommended to disable encryption. Repository encryption protects you e.g.
against the case that an attacker has access to your backup repository.
But be careful with the key / the passphrase:
If you want "passphrase-only" security, use the repokey mode. The key will be stored
inside the repository (in its "config" file). In above mentioned attack scenario, the
attacker will have the key (but not the passphrase).
If you want "passphrase and having-the-key" security, use the keyfile mode. The key will
be stored in your home directory (in .config/borg/keys). In the attack scenario, the
attacker who has just access to your repo won't have the key (and also not the
passphrase).
Make a backup copy of the key file (keyfile mode) or repo config file (repokey mode) and
keep it at a safe place, so you still have the key in case it gets corrupted or lost. Also
keep the passphrase at a safe place. The backup that is encrypted with that key won't
help you with that, of course.
Make sure you use a good passphrase. Not too short, not too simple. The real encryption /
decryption key is encrypted with / locked by your passphrase. If an attacker gets your
key, he can't unlock and use it without knowing the passphrase.
Be careful with special or non-ascii characters in your passphrase:
· Borg processes the passphrase as unicode (and encodes it as utf-8), so it does not have
problems dealing with even the strangest characters.
· BUT: that does not necessarily apply to your OS / VM / keyboard configuration.
So better use a long passphrase made from simple ascii chars than one that includes
non-ascii stuff or characters that are hard/impossible to enter on a different keyboard
layout.
You can change your passphrase for existing repos at any time, it won't affect the
encryption/decryption key or other secrets.
BORG CREATE
usage: borg create [-h] [--critical] [--error] [--warning] [--info] [--debug]
[--lock-wait N] [--show-rc] [--no-files-cache] [--umask M]
[--remote-path PATH] [-s] [-p] [--list]
[--filter STATUSCHARS] [-e PATTERN]
[--exclude-from EXCLUDEFILE] [--exclude-caches]
[--exclude-if-present FILENAME] [--keep-tag-files]
[-c SECONDS] [-x] [--numeric-owner]
[--timestamp yyyy-mm-ddThh:mm:ss]
[--chunker-params CHUNK_MIN_EXP,CHUNK_MAX_EXP,HASH_MASK_BITS,HASH_WINDOW_SIZE]
[--ignore-inode] [-C COMPRESSION] [--read-special] [-n]
ARCHIVE PATH [PATH ...]
Create new archive
positional arguments:
ARCHIVE name of archive to create (must be also a valid
directory name)
PATH paths to archive
optional arguments:
-h, --help show this help message and exit
--critical work on log level CRITICAL
--error work on log level ERROR
--warning work on log level WARNING (default)
--info, -v, --verbose
work on log level INFO
--debug work on log level DEBUG
--lock-wait N wait for the lock, but max. N seconds (default: 1).
--show-rc show/log the return code (rc)
--no-files-cache do not load/update the file metadata cache used to
detect unchanged files
--umask M set umask to M (local and remote, default: 0077)
--remote-path PATH set remote path to executable (default: "borg")
-s, --stats print statistics for the created archive
-p, --progress show progress display while creating the archive,
showing Original, Compressed and Deduplicated sizes,
followed by the Number of files seen and the path
being processed, default: False
--list output verbose list of items (files, dirs, ...)
--filter STATUSCHARS only display items with the given status characters
-e PATTERN, --exclude PATTERN
exclude paths matching PATTERN
--exclude-from EXCLUDEFILE
read exclude patterns from EXCLUDEFILE, one per line
--exclude-caches exclude directories that contain a CACHEDIR.TAG file
(http://www.brynosaurus.com/cachedir/spec.html)
--exclude-if-present FILENAME
exclude directories that contain the specified file
--keep-tag-files keep tag files of excluded caches/directories
-c SECONDS, --checkpoint-interval SECONDS
write checkpoint every SECONDS seconds (Default: 300)
-x, --one-file-system
stay in same file system, do not cross mount points
--numeric-owner only store numeric user and group identifiers
--timestamp yyyy-mm-ddThh:mm:ss
manually specify the archive creation date/time (UTC).
alternatively, give a reference file/directory.
--chunker-params CHUNK_MIN_EXP,CHUNK_MAX_EXP,HASH_MASK_BITS,HASH_WINDOW_SIZE
specify the chunker parameters. default: 19,23,21,4095
--ignore-inode ignore inode data in the file metadata cache used to
detect unchanged files.
-C COMPRESSION, --compression COMPRESSION
select compression algorithm (and level): none == no
compression (default), lz4 == lz4, zlib == zlib
(default level 6), zlib,0 .. zlib,9 == zlib (with
level 0..9), lzma == lzma (default level 6), lzma,0 ..
lzma,9 == lzma (with level 0..9).
--read-special open and read special files as if they were regular
files
-n, --dry-run do not create a backup archive
Description
This command creates a backup archive containing all files found while recursively
traversing all paths specified. The archive will consume almost no disk space for files or
parts of files that have already been stored in other archives.
To speed up pulling backups over sshfs and similar network file systems which do not
provide correct inode information the --ignore-inode flag can be used. This potentially
decreases reliability of change detection, while avoiding always reading all files on
these file systems.
See the output of the "borg help patterns" command for more help on exclude patterns.
Examples
# Backup ~/Documents into an archive named "my-documents"
$ borg create /path/to/repo::my-documents ~/Documents
# same, but verbosely list all files as we process them
$ borg create -v --list /path/to/repo::my-documents ~/Documents
# Backup ~/Documents and ~/src but exclude pyc files
$ borg create /path/to/repo::my-files
~/Documents
~/src
--exclude '*.pyc'
# Backup home directories excluding image thumbnails (i.e. only
# /home/*/.thumbnails is excluded, not /home/*/*/.thumbnails)
$ borg create /path/to/repo::my-files /home
--exclude 're:^/home/[^/]+/\.thumbnails/'
# Do the same using a shell-style pattern
$ borg create /path/to/repo::my-files /home
--exclude 'sh:/home/*/.thumbnails'
# Backup the root filesystem into an archive named "root-YYYY-MM-DD"
# use zlib compression (good, but slow) - default is no compression
$ borg create -C zlib,6 /path/to/repo::root-{now:%Y-%m-%d} / --one-file-system
# Make a big effort in fine granular deduplication (big chunk management
# overhead, needs a lot of RAM and disk space, see formula in internals
# docs - same parameters as borg < 1.0 or attic):
$ borg create --chunker-params 10,23,16,4095 /path/to/repo::small /smallstuff
# Backup a raw device (must not be active/in use/mounted at that time)
$ dd if=/dev/sdx bs=10M | borg create /path/to/repo::my-sdx -
# No compression (default)
$ borg create /path/to/repo::arch ~
# Super fast, low compression
$ borg create --compression lz4 /path/to/repo::arch ~
# Less fast, higher compression (N = 0..9)
$ borg create --compression zlib,N /path/to/repo::arch ~
# Even slower, even higher compression (N = 0..9)
$ borg create --compression lzma,N /path/to/repo::arch ~
# Format tags available for archive name:
# {now}, {utcnow}, {fqdn}, {hostname}, {user}, {pid}
# add short hostname, backup username and current unixtime (seconds from epoch)
$ borg create /path/to/repo::{hostname}-{user}-{now:%s} ~
BORG EXTRACT
usage: borg extract [-h] [--critical] [--error] [--warning] [--info] [--debug]
[--lock-wait N] [--show-rc] [--no-files-cache] [--umask M]
[--remote-path PATH] [--list] [-n] [-e PATTERN]
[--exclude-from EXCLUDEFILE] [--numeric-owner]
[--strip-components NUMBER] [--stdout] [--sparse]
ARCHIVE [PATH [PATH ...]]
Extract archive contents
positional arguments:
ARCHIVE archive to extract
PATH paths to extract; patterns are supported
optional arguments:
-h, --help show this help message and exit
--critical work on log level CRITICAL
--error work on log level ERROR
--warning work on log level WARNING (default)
--info, -v, --verbose
work on log level INFO
--debug work on log level DEBUG
--lock-wait N wait for the lock, but max. N seconds (default: 1).
--show-rc show/log the return code (rc)
--no-files-cache do not load/update the file metadata cache used to
detect unchanged files
--umask M set umask to M (local and remote, default: 0077)
--remote-path PATH set remote path to executable (default: "borg")
--list output verbose list of items (files, dirs, ...)
-n, --dry-run do not actually change any files
-e PATTERN, --exclude PATTERN
exclude paths matching PATTERN
--exclude-from EXCLUDEFILE
read exclude patterns from EXCLUDEFILE, one per line
--numeric-owner only obey numeric user and group identifiers
--strip-components NUMBER
Remove the specified number of leading path elements.
Pathnames with fewer elements will be silently
skipped.
--stdout write all extracted data to stdout
--sparse create holes in output sparse file from all-zero
chunks
Description
This command extracts the contents of an archive. By default the entire archive is
extracted but a subset of files and directories can be selected by passing a list of PATHs
as arguments. The file selection can further be restricted by using the --exclude option.
See the output of the "borg help patterns" command for more help on exclude patterns.
Examples
# Extract entire archive
$ borg extract /path/to/repo::my-files
# Extract entire archive and list files while processing
$ borg extract -v --list /path/to/repo::my-files
# Extract the "src" directory
$ borg extract /path/to/repo::my-files home/USERNAME/src
# Extract the "src" directory but exclude object files
$ borg extract /path/to/repo::my-files home/USERNAME/src --exclude '*.o'
# Restore a raw device (must not be active/in use/mounted at that time)
$ borg extract --stdout /path/to/repo::my-sdx | dd of=/dev/sdx bs=10M
Note: currently, extract always writes into the current working directory ("."),
so make sure you cd to the right place before calling borg extract.
BORG CHECK
usage: borg check [-h] [--critical] [--error] [--warning] [--info] [--debug]
[--lock-wait N] [--show-rc] [--no-files-cache] [--umask M]
[--remote-path PATH] [--repository-only] [--archives-only]
[--repair] [--save-space] [--last N] [-P PREFIX]
[REPOSITORY_OR_ARCHIVE]
Check repository consistency
positional arguments:
REPOSITORY_OR_ARCHIVE
repository or archive to check consistency of
optional arguments:
-h, --help show this help message and exit
--critical work on log level CRITICAL
--error work on log level ERROR
--warning work on log level WARNING (default)
--info, -v, --verbose
work on log level INFO
--debug work on log level DEBUG
--lock-wait N wait for the lock, but max. N seconds (default: 1).
--show-rc show/log the return code (rc)
--no-files-cache do not load/update the file metadata cache used to
detect unchanged files
--umask M set umask to M (local and remote, default: 0077)
--remote-path PATH set remote path to executable (default: "borg")
--repository-only only perform repository checks
--archives-only only perform archives checks
--repair attempt to repair any inconsistencies found
--save-space work slower, but using less space
--last N only check last N archives (Default: all)
-P PREFIX, --prefix PREFIX
only consider archive names starting with this prefix
Description
The check command verifies the consistency of a repository and the corresponding archives.
First, the underlying repository data files are checked:
· For all segments the segment magic (header) is checked
· For all objects stored in the segments, all metadata (e.g. crc and size) and all data is
read. The read data is checked by size and CRC. Bit rot and other types of accidental
damage can be detected this way.
· If we are in repair mode and a integrity error is detected for a segment, we try to
recover as many objects from the segment as possible.
· In repair mode, it makes sure that the index is consistent with the data stored in the
segments.
· If you use a remote repo server via ssh:, the repo check is executed on the repo server
without causing significant network traffic.
· The repository check can be skipped using the --archives-only option.
Second, the consistency and correctness of the archive metadata is verified:
· Is the repo manifest present? If not, it is rebuilt from archive metadata chunks (this
requires reading and decrypting of all metadata and data).
· Check if archive metadata chunk is present. if not, remove archive from manifest.
· For all files (items) in the archive, for all chunks referenced by these files, check if
chunk is present (if not and we are in repair mode, replace it with a same-size chunk of
zeros). This requires reading of archive and file metadata, but not data.
· If we are in repair mode and we checked all the archives: delete orphaned chunks from
the repo.
· if you use a remote repo server via ssh:, the archive check is executed on the client
machine (because if encryption is enabled, the checks will require decryption and this
is always done client-side, because key access will be required).
· The archive checks can be time consuming, they can be skipped using the
--repository-only option.
BORG RENAME
usage: borg rename [-h] [--critical] [--error] [--warning] [--info] [--debug]
[--lock-wait N] [--show-rc] [--no-files-cache] [--umask M]
[--remote-path PATH]
ARCHIVE NEWNAME
Rename an existing archive
positional arguments:
ARCHIVE archive to rename
NEWNAME the new archive name to use
optional arguments:
-h, --help show this help message and exit
--critical work on log level CRITICAL
--error work on log level ERROR
--warning work on log level WARNING (default)
--info, -v, --verbose
work on log level INFO
--debug work on log level DEBUG
--lock-wait N wait for the lock, but max. N seconds (default: 1).
--show-rc show/log the return code (rc)
--no-files-cache do not load/update the file metadata cache used to
detect unchanged files
--umask M set umask to M (local and remote, default: 0077)
--remote-path PATH set remote path to executable (default: "borg")
Description
This command renames an archive in the repository.
Examples
$ borg create /path/to/repo::archivename ~
$ borg list /path/to/repo
archivename Mon, 2016-02-15 19:50:19
$ borg rename /path/to/repo::archivename newname
$ borg list /path/to/repo
newname Mon, 2016-02-15 19:50:19
BORG LIST
usage: borg list [-h] [--critical] [--error] [--warning] [--info] [--debug]
[--lock-wait N] [--show-rc] [--no-files-cache] [--umask M]
[--remote-path PATH] [--short] [--list-format LISTFORMAT]
[-P PREFIX]
[REPOSITORY_OR_ARCHIVE]
List archive or repository contents
positional arguments:
REPOSITORY_OR_ARCHIVE
repository/archive to list contents of
optional arguments:
-h, --help show this help message and exit
--critical work on log level CRITICAL
--error work on log level ERROR
--warning work on log level WARNING (default)
--info, -v, --verbose
work on log level INFO
--debug work on log level DEBUG
--lock-wait N wait for the lock, but max. N seconds (default: 1).
--show-rc show/log the return code (rc)
--no-files-cache do not load/update the file metadata cache used to
detect unchanged files
--umask M set umask to M (local and remote, default: 0077)
--remote-path PATH set remote path to executable (default: "borg")
--short only print file/directory names, nothing else
--list-format LISTFORMAT
specify format for archive file listing (default:
"{mode} {user:6} {group:6} {size:8d} {isomtime}
{path}{extra}{NEWLINE}") Special "{formatkeys}" exists
to list available keys
-P PREFIX, --prefix PREFIX
only consider archive names starting with this prefix
Description
This command lists the contents of a repository or an archive.
Examples
$ borg list /path/to/repo
Monday Mon, 2016-02-15 19:15:11
repo Mon, 2016-02-15 19:26:54
root-2016-02-15 Mon, 2016-02-15 19:36:29
newname Mon, 2016-02-15 19:50:19
...
$ borg list /path/to/repo::root-2016-02-15
drwxr-xr-x root root 0 Mon, 2016-02-15 17:44:27 .
drwxrwxr-x root root 0 Mon, 2016-02-15 19:04:49 bin
-rwxr-xr-x root root 1029624 Thu, 2014-11-13 00:08:51 bin/bash
lrwxrwxrwx root root 0 Fri, 2015-03-27 20:24:26 bin/bzcmp -> bzdiff
-rwxr-xr-x root root 2140 Fri, 2015-03-27 20:24:22 bin/bzdiff
...
$ borg list /path/to/repo::archiveA --list-format="{mode} {user:6} {group:6} {size:8d} {isomtime} {path}{extra}{NEWLINE}"
drwxrwxr-x user user 0 Sun, 2015-02-01 11:00:00 .
drwxrwxr-x user user 0 Sun, 2015-02-01 11:00:00 code
drwxrwxr-x user user 0 Sun, 2015-02-01 11:00:00 code/myproject
-rw-rw-r-- user user 1416192 Sun, 2015-02-01 11:00:00 code/myproject/file.ext
...
# see what is changed between archives, based on file modification time, size and file path
$ borg list /path/to/repo::archiveA --list-format="{mtime:%s}{TAB}{size}{TAB}{path}{LF}" |sort -n > /tmp/list.archiveA
$ borg list /path/to/repo::archiveB --list-format="{mtime:%s}{TAB}{size}{TAB}{path}{LF}" |sort -n > /tmp/list.archiveB
$ diff -y /tmp/list.archiveA /tmp/list.archiveB
1422781200 0 . 1422781200 0 .
1422781200 0 code 1422781200 0 code
1422781200 0 code/myproject 1422781200 0 code/myproject
1422781200 1416192 code/myproject/file.ext | 1454664653 1416192 code/myproject/file.ext
...
BORG DELETE
usage: borg delete [-h] [--critical] [--error] [--warning] [--info] [--debug]
[--lock-wait N] [--show-rc] [--no-files-cache] [--umask M]
[--remote-path PATH] [-p] [-s] [-c] [--save-space]
[TARGET]
Delete an existing repository or archive
positional arguments:
TARGET archive or repository to delete
optional arguments:
-h, --help show this help message and exit
--critical work on log level CRITICAL
--error work on log level ERROR
--warning work on log level WARNING (default)
--info, -v, --verbose
work on log level INFO
--debug work on log level DEBUG
--lock-wait N wait for the lock, but max. N seconds (default: 1).
--show-rc show/log the return code (rc)
--no-files-cache do not load/update the file metadata cache used to
detect unchanged files
--umask M set umask to M (local and remote, default: 0077)
--remote-path PATH set remote path to executable (default: "borg")
-p, --progress show progress display while deleting a single archive
-s, --stats print statistics for the deleted archive
-c, --cache-only delete only the local cache for the given repository
--save-space work slower, but using less space
Description
This command deletes an archive from the repository or the complete repository. Disk
space is reclaimed accordingly. If you delete the complete repository, the local cache for
it (if any) is also deleted.
Examples
# delete a single backup archive:
$ borg delete /path/to/repo::Monday
# delete the whole repository and the related local cache:
$ borg delete /path/to/repo
You requested to completely DELETE the repository *including* all archives it contains:
repo Mon, 2016-02-15 19:26:54
root-2016-02-15 Mon, 2016-02-15 19:36:29
newname Mon, 2016-02-15 19:50:19
Type 'YES' if you understand this and want to continue: YES
BORG PRUNE
usage: borg prune [-h] [--critical] [--error] [--warning] [--info] [--debug]
[--lock-wait N] [--show-rc] [--no-files-cache] [--umask M]
[--remote-path PATH] [-n] [-s] [--list]
[--keep-within WITHIN] [-H HOURLY] [-d DAILY] [-w WEEKLY]
[-m MONTHLY] [-y YEARLY] [-P PREFIX] [--save-space]
[REPOSITORY]
Prune repository archives according to specified rules
positional arguments:
REPOSITORY repository to prune
optional arguments:
-h, --help show this help message and exit
--critical work on log level CRITICAL
--error work on log level ERROR
--warning work on log level WARNING (default)
--info, -v, --verbose
work on log level INFO
--debug work on log level DEBUG
--lock-wait N wait for the lock, but max. N seconds (default: 1).
--show-rc show/log the return code (rc)
--no-files-cache do not load/update the file metadata cache used to
detect unchanged files
--umask M set umask to M (local and remote, default: 0077)
--remote-path PATH set remote path to executable (default: "borg")
-n, --dry-run do not change repository
-s, --stats print statistics for the deleted archive
--list output verbose list of archives it keeps/prunes
--keep-within WITHIN keep all archives within this time interval
-H HOURLY, --keep-hourly HOURLY
number of hourly archives to keep
-d DAILY, --keep-daily DAILY
number of daily archives to keep
-w WEEKLY, --keep-weekly WEEKLY
number of weekly archives to keep
-m MONTHLY, --keep-monthly MONTHLY
number of monthly archives to keep
-y YEARLY, --keep-yearly YEARLY
number of yearly archives to keep
-P PREFIX, --prefix PREFIX
only consider archive names starting with this prefix
--save-space work slower, but using less space
Description
The prune command prunes a repository by deleting archives not matching any of the
specified retention options. This command is normally used by automated backup scripts
wanting to keep a certain number of historic backups.
As an example, "-d 7" means to keep the latest backup on each day, up to 7 most recent
days with backups (days without backups do not count). The rules are applied from hourly
to yearly, and backups selected by previous rules do not count towards those of later
rules. The time that each backup completes is used for pruning purposes. Dates and times
are interpreted in the local timezone, and weeks go from Monday to Sunday. Specifying a
negative number of archives to keep means that there is no limit.
The "--keep-within" option takes an argument of the form "<int><char>", where char is "H",
"d", "w", "m", "y". For example, "--keep-within 2d" means to keep all archives that were
created within the past 48 hours. "1m" is taken to mean "31d". The archives kept with
this option do not count towards the totals specified by any other options.
If a prefix is set with -P, then only archives that start with the prefix are considered
for deletion and only those archives count towards the totals specified by the rules.
Otherwise, all archives in the repository are candidates for deletion!
Examples
Be careful, prune is a potentially dangerous command, it will remove backup archives.
The default of prune is to apply to all archives in the repository unless you restrict its
operation to a subset of the archives using --prefix. When using --prefix, be careful to
choose a good prefix - e.g. do not use a prefix "foo" if you do not also want to match
"foobar".
It is strongly recommended to always run prune --dry-run ... first so you will see what it
would do without it actually doing anything.
# Keep 7 end of day and 4 additional end of week archives.
# Do a dry-run without actually deleting anything.
$ borg prune --dry-run --keep-daily=7 --keep-weekly=4 /path/to/repo
# Same as above but only apply to archive names starting with "foo":
$ borg prune --keep-daily=7 --keep-weekly=4 --prefix=foo /path/to/repo
# Keep 7 end of day, 4 additional end of week archives,
# and an end of month archive for every month:
$ borg prune --keep-daily=7 --keep-weekly=4 --keep-monthly=-1 /path/to/repo
# Keep all backups in the last 10 days, 4 additional end of week archives,
# and an end of month archive for every month:
$ borg prune --keep-within=10d --keep-weekly=4 --keep-monthly=-1 /path/to/repo
BORG INFO
usage: borg info [-h] [--critical] [--error] [--warning] [--info] [--debug]
[--lock-wait N] [--show-rc] [--no-files-cache] [--umask M]
[--remote-path PATH]
ARCHIVE
Show archive details such as disk space used
positional arguments:
ARCHIVE archive to display information about
optional arguments:
-h, --help show this help message and exit
--critical work on log level CRITICAL
--error work on log level ERROR
--warning work on log level WARNING (default)
--info, -v, --verbose
work on log level INFO
--debug work on log level DEBUG
--lock-wait N wait for the lock, but max. N seconds (default: 1).
--show-rc show/log the return code (rc)
--no-files-cache do not load/update the file metadata cache used to
detect unchanged files
--umask M set umask to M (local and remote, default: 0077)
--remote-path PATH set remote path to executable (default: "borg")
Description
This command displays some detailed information about the specified archive.
Examples
$ borg info /path/to/repo::root-2016-02-15
Name: root-2016-02-15
Fingerprint: 57c827621f21b000a8d363c1e163cc55983822b3afff3a96df595077a660be50
Hostname: myhostname
Username: root
Time (start): Mon, 2016-02-15 19:36:29
Time (end): Mon, 2016-02-15 19:39:26
Command line: /usr/local/bin/borg create -v --list -C zlib,6 /path/to/repo::root-2016-02-15 / --one-file-system
Number of files: 38100
Original size Compressed size Deduplicated size
This archive: 1.33 GB 613.25 MB 571.64 MB
All archives: 1.63 GB 853.66 MB 584.12 MB
Unique chunks Total chunks
Chunk index: 36858 48844
BORG MOUNT
usage: borg mount [-h] [--critical] [--error] [--warning] [--info] [--debug]
[--lock-wait N] [--show-rc] [--no-files-cache] [--umask M]
[--remote-path PATH] [-f] [-o OPTIONS]
REPOSITORY_OR_ARCHIVE MOUNTPOINT
Mount archive or an entire repository as a FUSE fileystem
positional arguments:
REPOSITORY_OR_ARCHIVE
repository/archive to mount
MOUNTPOINT where to mount filesystem
optional arguments:
-h, --help show this help message and exit
--critical work on log level CRITICAL
--error work on log level ERROR
--warning work on log level WARNING (default)
--info, -v, --verbose
work on log level INFO
--debug work on log level DEBUG
--lock-wait N wait for the lock, but max. N seconds (default: 1).
--show-rc show/log the return code (rc)
--no-files-cache do not load/update the file metadata cache used to
detect unchanged files
--umask M set umask to M (local and remote, default: 0077)
--remote-path PATH set remote path to executable (default: "borg")
-f, --foreground stay in foreground, do not daemonize
-o OPTIONS Extra mount options
Description
This command mounts an archive as a FUSE filesystem. This can be useful for browsing an
archive or restoring individual files. Unless the --foreground option is given the command
will run in the background until the filesystem is umounted.
Examples
$ borg mount /path/to/repo::root-2016-02-15 /tmp/mymountpoint
$ ls /tmp/mymountpoint
bin boot etc home lib lib64 lost+found media mnt opt root sbin srv tmp usr var
$ fusermount -u /tmp/mymountpoint
BORG CHANGE-PASSPHRASE
usage: borg change-passphrase [-h] [--critical] [--error] [--warning] [--info]
[--debug] [--lock-wait N] [--show-rc]
[--no-files-cache] [--umask M]
[--remote-path PATH]
[REPOSITORY]
Change repository key file passphrase
positional arguments:
REPOSITORY
optional arguments:
-h, --help show this help message and exit
--critical work on log level CRITICAL
--error work on log level ERROR
--warning work on log level WARNING (default)
--info, -v, --verbose
work on log level INFO
--debug work on log level DEBUG
--lock-wait N wait for the lock, but max. N seconds (default: 1).
--show-rc show/log the return code (rc)
--no-files-cache do not load/update the file metadata cache used to
detect unchanged files
--umask M set umask to M (local and remote, default: 0077)
--remote-path PATH set remote path to executable (default: "borg")
Description
The key files used for repository encryption are optionally passphrase protected. This
command can be used to change this passphrase.
Examples
# Create a key file protected repository
$ borg init --encryption=keyfile -v /path/to/repo
Initializing repository at "/path/to/repo"
Enter new passphrase:
Enter same passphrase again:
Remember your passphrase. Your data will be inaccessible without it.
Key in "/root/.config/borg/keys/mnt_backup" created.
Keep this key safe. Your data will be inaccessible without it.
Synchronizing chunks cache...
Archives: 0, w/ cached Idx: 0, w/ outdated Idx: 0, w/o cached Idx: 0.
Done.
# Change key file passphrase
$ borg change-passphrase -v /path/to/repo
Enter passphrase for key /root/.config/borg/keys/mnt_backup:
Enter new passphrase:
Enter same passphrase again:
Remember your passphrase. Your data will be inaccessible without it.
Key updated
BORG SERVE
usage: borg serve [-h] [--critical] [--error] [--warning] [--info] [--debug]
[--lock-wait N] [--show-rc] [--no-files-cache] [--umask M]
[--remote-path PATH] [--restrict-to-path PATH]
Start in server mode. This command is usually not used manually.
optional arguments:
-h, --help show this help message and exit
--critical work on log level CRITICAL
--error work on log level ERROR
--warning work on log level WARNING (default)
--info, -v, --verbose
work on log level INFO
--debug work on log level DEBUG
--lock-wait N wait for the lock, but max. N seconds (default: 1).
--show-rc show/log the return code (rc)
--no-files-cache do not load/update the file metadata cache used to
detect unchanged files
--umask M set umask to M (local and remote, default: 0077)
--remote-path PATH set remote path to executable (default: "borg")
--restrict-to-path PATH
restrict repository access to PATH
Description
This command starts a repository server process. This command is usually not used
manually.
Examples
borg serve has special support for ssh forced commands (see authorized_keys example
below): it will detect that you use such a forced command and extract the value of the
--restrict-to-path option(s). It will then parse the original command that came from the
client, makes sure that it is also borg serve and enforce path restriction(s) as given by
the forced command. That way, other options given by the client (like --info or --umask)
are preserved (and are not fixed by the forced command).
# Allow an SSH keypair to only run borg, and only have access to /path/to/repo.
# Use key options to disable unneeded and potentially dangerous SSH functionality.
# This will help to secure an automated remote backup system.
$ cat ~/.ssh/authorized_keys
command="borg serve --restrict-to-path /path/to/repo",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa AAAAB3[...]
BORG UPGRADE
usage: borg upgrade [-h] [--critical] [--error] [--warning] [--info] [--debug]
[--lock-wait N] [--show-rc] [--no-files-cache] [--umask M]
[--remote-path PATH] [-p] [-n] [-i]
[REPOSITORY]
upgrade a repository from a previous version
positional arguments:
REPOSITORY path to the repository to be upgraded
optional arguments:
-h, --help show this help message and exit
--critical work on log level CRITICAL
--error work on log level ERROR
--warning work on log level WARNING (default)
--info, -v, --verbose
work on log level INFO
--debug work on log level DEBUG
--lock-wait N wait for the lock, but max. N seconds (default: 1).
--show-rc show/log the return code (rc)
--no-files-cache do not load/update the file metadata cache used to
detect unchanged files
--umask M set umask to M (local and remote, default: 0077)
--remote-path PATH set remote path to executable (default: "borg")
-p, --progress show progress display while upgrading the repository
-n, --dry-run do not change repository
-i, --inplace rewrite repository in place, with no chance of going
back to older versions of the repository.
Description
Upgrade an existing Borg repository. This currently supports converting an Attic
repository to Borg and also helps with converting Borg 0.xx to 1.0.
Currently, only LOCAL repositories can be upgraded (issue #465).
It will change the magic strings in the repository's segments to match the new Borg magic
strings. The keyfiles found in $ATTIC_KEYS_DIR or ~/.attic/keys/ will also be converted
and copied to $BORG_KEYS_DIR or ~/.config/borg/keys.
The cache files are converted, from $ATTIC_CACHE_DIR or ~/.cache/attic to $BORG_CACHE_DIR
or ~/.cache/borg, but the cache layout between Borg and Attic changed, so it is possible
the first backup after the conversion takes longer than expected due to the cache resync.
Upgrade should be able to resume if interrupted, although it will still iterate over all
segments. If you want to start from scratch, use borg delete over the copied repository to
make sure the cache files are also removed:
borg delete borg
Unless --inplace is specified, the upgrade process first creates a backup copy of the
repository, in REPOSITORY.upgrade-DATETIME, using hardlinks. This takes longer than in
place upgrades, but is much safer and gives progress information (as opposed to cp -al).
Once you are satisfied with the conversion, you can safely destroy the backup copy.
WARNING: Running the upgrade in place will make the current copy unusable with older
version, with no way of going back to previous versions. This can PERMANENTLY DAMAGE YOUR
REPOSITORY! Attic CAN NOT READ BORG REPOSITORIES, as the magic strings have changed. You
have been warned.
Examples
# Upgrade the borg repository to the most recent version.
$ borg upgrade -v /path/to/repo
making a hardlink copy in /path/to/repo.upgrade-2016-02-15-20:51:55
opening attic repository with borg and converting
no key file found for repository
converting repo index /path/to/repo/index.0
converting 1 segments...
converting borg 0.xx to borg current
no key file found for repository
MISCELLANEOUS HELP
borg help patterns
Exclusion patterns support four separate styles, fnmatch, shell, regular expressions and
path prefixes. If followed by a colon (':') the first two characters of a pattern are used
as a style selector. Explicit style selection is necessary when a non-default style is
desired or when the desired pattern starts with two alphanumeric characters followed by a
colon (i.e. aa:something/*).
Fnmatch, selector fm:
These patterns use a variant of shell pattern syntax, with '*' matching any number of
characters, '?' matching any single character, '[...]' matching any single character
specified, including ranges, and '[!...]' matching any character not specified. For the
purpose of these patterns, the path separator ('' for Windows and '/' on other systems)
is not treated specially. Wrap meta-characters in brackets for a literal match (i.e.
[?] to match the literal character ?). For a path to match a pattern, it must
completely match from start to end, or must match from the start to just before a path
separator. Except for the root path, paths will never end in the path separator when
matching is attempted. Thus, if a given pattern ends in a path separator, a '*' is
appended before matching is attempted.
Shell-style patterns, selector sh:
Like fnmatch patterns these are similar to shell patterns. The difference is that the
pattern may include **/ for matching zero or more directory levels, * for matching zero
or more arbitrary characters with the exception of any path separator.
Regular expressions, selector re:
Regular expressions similar to those found in Perl are supported. Unlike shell patterns
regular expressions are not required to match the complete path and any substring match
is sufficient. It is strongly recommended to anchor patterns to the start ('^'), to the
end ('$') or both. Path separators ('' for Windows and '/' on other systems) in paths
are always normalized to a forward slash ('/') before applying a pattern. The regular
expression syntax is described in the Python documentation for the re module.
Prefix path, selector pp:
This pattern style is useful to match whole sub-directories. The pattern pp:/data/bar
matches /data/bar and everything therein.
Exclusions can be passed via the command line option --exclude. When used from within a
shell the patterns should be quoted to protect them from expansion.
The --exclude-from option permits loading exclusion patterns from a text file with one
pattern per line. Lines empty or starting with the number sign ('#') after removing
whitespace on both ends are ignored. The optional style selector prefix is also supported
for patterns loaded from a file. Due to whitespace removal paths with whitespace at the
beginning or end can only be excluded using regular expressions.
Examples:
# Exclude '/home/user/file.o' but not '/home/user/file.odt': $ borg create -e '
*
.o' backup /
# Exclude '/home/user/junk' and '/home/user/subdir/junk' but # not
'/home/user/importantjunk' or '/etc/junk': $ borg create -e '/home/
*
/junk' backup /
# Exclude the contents of '/home/user/cache' but not the directory itself: $ borg create
-e /home/user/cache/ backup /
# The file '/home/user/cache/important' is not backed up: $ borg create -e
/home/user/cache/ backup / /home/user/cache/important
# The contents of directories in '/home' are not backed up when their name # ends in
'.tmp' $ borg create --exclude 're:^/home/[^/]+.tmp/' backup /
# Load exclusions from file $ cat >exclude.txt <<EOF # Comment line /home//junk *.tmp
fm:aa:something/ re:^/home/[^/].tmp/ sh:/home/
*
/.thumbnails EOF $ borg create --exclude-from exclude.txt backup /
DEBUG COMMANDS
There are some more commands (all starting with "debug-") which are all not intended for
normal use and potentially very dangerous if used incorrectly.
They exist to improve debugging capabilities without direct system access, e.g. in case
you ever run into some severe malfunction. Use them only if you know what you are doing or
if a trusted Borg developer tells you what to do.
ADDITIONAL NOTES
Here are misc. notes about topics that are maybe not covered in enough detail in the usage
section.
Item flags
borg create -v --list outputs a verbose list of all files, directories and other file
system items it considered (no matter whether they had content changes or not). For each
item, it prefixes a single-letter flag that indicates type and/or status of the item.
If you are interested only in a subset of that output, you can give e.g. --filter=AME and
it will only show regular files with A, M or E status (see below).
A uppercase character represents the status of a regular file relative to the "files"
cache (not relative to the repo -- this is an issue if the files cache is not used).
Metadata is stored in any case and for 'A' and 'M' also new data chunks are stored. For
'U' all data chunks refer to already existing chunks.
· 'A' = regular file, added (see also a_status_oddity in the FAQ)
· 'M' = regular file, modified
· 'U' = regular file, unchanged
· 'E' = regular file, an error happened while accessing/reading this file
A lowercase character means a file type other than a regular file, borg usually just
stores their metadata:
· 'd' = directory
· 'b' = block device
· 'c' = char device
· 'h' = regular file, hardlink (to already seen inodes)
· 's' = symlink
· 'f' = fifo
Other flags used include:
· 'i' = backup data was read from standard input (stdin)
· '-' = dry run, item was not backed up
· '?' = missing status code (if you see this, please file a bug report!)
--chunker-params
The chunker params influence how input files are cut into pieces (chunks) which are then
considered for deduplication. They also have a big impact on resource usage (RAM and disk
space) as the amount of resources needed is (also) determined by the total amount of
chunks in the repository (see Indexes / Caches memory usage for details).
--chunker-params=10,23,16,4095 results in a fine-grained deduplication and creates a big
amount of chunks and thus uses a lot of resources to manage them. This is good for
relatively small data volumes and if the machine has a good amount of free RAM and disk
space.
--chunker-params=19,23,21,4095 (default) results in a coarse-grained deduplication and
creates a much smaller amount of chunks and thus uses less resources. This is good for
relatively big data volumes and if the machine has a relatively low amount of free RAM and
disk space.
If you already have made some archives in a repository and you then change chunker params,
this of course impacts deduplication as the chunks will be cut differently.
In the worst case (all files are big and were touched in between backups), this will store
all content into the repository again.
Usually, it is not that bad though:
· usually most files are not touched, so it will just re-use the old chunks it already has
in the repo
· files smaller than the (both old and new) minimum chunksize result in only one chunk
anyway, so the resulting chunks are same and deduplication will apply
If you switch chunker params to save resources for an existing repo that already has some
backup archives, you will see an increasing effect over time, when more and more files
have been touched and stored again using the bigger chunksize and all references to the
smaller older chunks have been removed (by deleting / pruning archives).
If you want to see an immediate big effect on resource usage, you better start a new
repository when changing chunker params.
For more details, see chunker_details.
--read-special
The option --read-special is not intended for normal, filesystem-level (full or
partly-recursive) backups. You only give this option if you want to do something rather
... special -- and if you have hand-picked some files that you want to treat that way.
borg create --read-special will open all files without doing any special treatment
according to the file type (the only exception here are directories: they will be recursed
into). Just imagine what happens if you do cat filename --- the content you will see there
is what borg will backup for that filename.
So, for example, symlinks will be followed, block device content will be read, named pipes
/ UNIX domain sockets will be read.
You need to be careful with what you give as filename when using --read-special, e.g. if
you give /dev/zero, your backup will never terminate.
The given files' metadata is saved as it would be saved without --read-special (e.g. its
name, its size [might be 0], its mode, etc.) -- but additionally, also the content read
from it will be saved for it.
Restoring such files' content is currently only supported one at a time via --stdout
option (and you have to redirect stdout to where ever it shall go, maybe directly into an
existing device file of your choice or indirectly via dd).
Example
Imagine you have made some snapshots of logical volumes (LVs) you want to backup.
NOTE:
For some scenarios, this is a good method to get "crash-like" consistency (I call it
crash-like because it is the same as you would get if you just hit the reset button or
your machine would abrubtly and completely crash). This is better than no consistency
at all and a good method for some use cases, but likely not good enough if you have
databases running.
Then you create a backup archive of all these snapshots. The backup process will see a
"frozen" state of the logical volumes, while the processes working in the original volumes
continue changing the data stored there.
You also add the output of lvdisplay to your backup, so you can see the LV sizes in case
you ever need to recreate and restore them.
After the backup has completed, you remove the snapshots again.
$ # create snapshots here
$ lvdisplay > lvdisplay.txt
$ borg create --read-special /path/to/repo::arch lvdisplay.txt /dev/vg0/*-snapshot
$ # remove snapshots here
Now, let's see how to restore some LVs from such a backup.
$ borg extract /path/to/repo::arch lvdisplay.txt
$ # create empty LVs with correct sizes here (look into lvdisplay.txt).
$ # we assume that you created an empty root and home LV and overwrite it now:
$ borg extract --stdout /path/to/repo::arch dev/vg0/root-snapshot > /dev/vg0/root
$ borg extract --stdout /path/to/repo::arch dev/vg0/home-snapshot > /dev/vg0/home
Append-only mode
A repository can be made "append-only", which means that Borg will never overwrite or
delete committed data. This is useful for scenarios where multiple machines back up to a
central backup server using borg serve, since a hacked machine cannot delete backups
permanently.
To activate append-only mode, edit the repository config file and add a line append_only=1
to the [repository] section (or edit the line if it exists).
In append-only mode Borg will create a transaction log in the transactions file, where
each line is a transaction and a UTC timestamp.
Example
Suppose an attacker remotely deleted all backups, but your repository was in append-only
mode. A transaction log in this situation might look like this:
transaction 1, UTC time 2016-03-31T15:53:27.383532
transaction 5, UTC time 2016-03-31T15:53:52.588922
transaction 11, UTC time 2016-03-31T15:54:23.887256
transaction 12, UTC time 2016-03-31T15:55:54.022540
transaction 13, UTC time 2016-03-31T15:55:55.472564
From your security logs you conclude the attacker gained access at 15:54:00 and all the
backups where deleted or replaced by compromised backups. From the log you know that
transactions 11 and later are compromised. Note that the transaction ID is the name of the
last file in the transaction. For example, transaction 11 spans files 6 to 11.
In a real attack you'll likely want to keep the compromised repository intact to analyze
what the attacker tried to achieve. It's also a good idea to make this copy just in case
something goes wrong during the recovery. Since recovery is done by deleting some files, a
hard link copy (cp -al) is sufficient.
The first step to reset the repository to transaction 5, the last uncompromised
transaction, is to remove the hints.N and index.N files in the repository (these two files
are always expendable). In this example N is 13.
Then remove or move all segment files from the segment directories in data/ starting with
file 6:
rm data/**/{6..13}
That's all to it.
Drawbacks
As data is only appended, and nothing deleted, commands like prune or delete won't free
disk space, they merely tag data as deleted in a new transaction.
Note that you can go back-and-forth between normal and append-only operation by editing
the configuration file, it's not a "one way trip".
Further considerations
Append-only mode is not respected by tools other than Borg. rm still works on the
repository. Make sure that backup client machines only get to access the repository via
borg serve.
Ensure that no remote access is possible if the repository is temporarily set to normal
mode for e.g. regular pruning.
Further protections can be implemented, but are outside of Borgs scope. For example, file
system snapshots or wrapping borg serve to set special permissions or ACLs on new data
files.
Use borgbackup online using onworks.net services