[Borgbackup] encryption mechanism understanding

[Maurice Libes]

hi to all

for my understanding may I have some basics elements about the 
encryption process between the server and the client ?

in the "repokey" mode,  the encryption key is stored in the config file 
of one repository, ok?
but the chunk encryption is done on the client, right?

so how the client is able to encrypt the chunks with the key which is 
stored on the server?
does this mean that the key is sent on the network towards the client ?

On the client side how is used  the passphrase? It serves to access the 
encryption key on the server?
does this means that the passphrase is sent to the borg server to access 
the encryption key of one repository?

Does the client needs the encryption key stored on the server?

In short I don't understand the different accesses made by the client 
and server to the key and the passphrase

If one client PC crashes or burns, can I restore my data from another PC 
with only the passphrase sent to the borg server ?


If my Borg server crashes (without the NAS containing the backup 
repositories) , may I access the backuped data again, with only a backup 
of the differents encryption keys  of the repositories (borg key export)

sorry if it is too long to explain
many thanks for any answers

ML

ps: We make a communication about borgbackup in a french congress in 
November
https://www.jres.org/fr/programme
and I need to clarify some issues

-- 
M. LIBES
Service Informatique OSU Pytheas - UMS 3470 CNRS
Batiment Oceanomed
Campus de Luminy
13288 Marseille cedex 9
Tel: 04860 90529


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2935 bytes
Desc: Signature cryptographique S/MIME
URL: <http://mail.python.org/pipermail/borgbackup/attachments/20170712/7c132378/attachment.bin>