Konubinix' opinionated web of thoughts

Borgbackup

fleeting

borg serve has special support for ssh forced commands (see authorized_keys example below): it will detect that you use such a forced command and extract the value of the –restrict-to-path option(s).

https://borgbackup.readthedocs.io/en/stable/usage/serve.html

Allow an SSH keypair to only run borg, and only have access to /path/to/repo.

$ cat ~/.ssh/authorized_keys command=“borg serve –restrict-to-path /path/to/repo”,restrict ssh-rsa AAAAB3[…]

$ cat ~/.ssh/authorized_keys command=“export BORG_XXX=value; borg serve […]",restrict

https://borgbackup.readthedocs.io/en/stable/usage/serve.html

For remote backups the encryption is done locally - the remote machine never sees your passphrase, your unencrypted key or your unencrypted files.

https://borgbackup.readthedocs.io/en/stable/usage/init.html?highlight=repokey#encryption-mode-tldr

Notes pointant ici