password when initializing new repo

[CouldBeThis]

I realized that I am confused about the function of this password:

Remote Backups | Vorta for BorgBackup:

In the dialog, paste the Repo URL and choose a secure password. If you don’t have specific encryption requirements and didn’t change the default name of the SSH key, you can keep the other settings at their defaults.

I am confused because he password is set up locally, and not when creating repo on the borgbase server.

1. Does the password go back to the server somehow?

2. What is the consequence of forgetting this password? are the backups unrecoverable? or does it only affect local interaction?

3. Could I have the same repo with different password on different machines?

4. Since there is already an account password, ssh key with optional password, what is the added benefit of another password on top? what is the threat model?

5. How do I remove a password once it's set?

6. If one were to use unique password for every repo, what would be a feasible system to manage them? Especially if you need to access them without having access to your local key store files. Do you need to make a separate backup of these?

A summary answer to the above would be fine.. I feel like I am just missing a concept.

I also read #1920 but didn't clear it up for me

[goebbe]

Short answer: This "Password" is the passphrase of the repository, in which your archives are stored. (In newer versions of Vorta it is called "passphrase" instead of "Password")
By default, the backups are all stored in an encrypted repository. Whenever you access the repository (i.e. for a backup, or for restoring) this passphrase (and the corresponding keyfile or repokey) is required.
Vorta stores this passphrase for you (e.g. in the "keyring" of your OS) - and whenever Vorta needs access to the repository, it uses this passphrase.

Does the password go back to the server somehow?

The passphrase is not stored on the server.

What is the consequence of forgetting this password? are the backups unrecoverable? or does it only affect local interaction?

Normally, Vorta stored the password for you - and uses it whenever required. Without this password the repository would be unrecoverable.

Could I have the same repo with different password on different machines?

There is only one passphrase per repo. If you want to make backups from different machines, you should probably use different repos.

Since there is already an account password, ssh key with optional password, what is the added benefit of another password on top? what is the threat model?

If a third party gets access to your encrypted repository (e.g. the provider of your backup server) they are not able to read the content of your repository. Without this password, access to your encrypted repository is worthless.

How do I remove a password once it's set?

I am not sure it it is possible to remove a passphrase if the repos has been set up with encryption.
However, when you setup a new repo, it is possible to generate a repo without encryption (Encryption: "None"). But this is not recommended.
Moreover, using (underlying) borg, it is possible to use a local keyfile together with an empty passphrase - in this case the repo is encrypted, using the keyfile only. borg also allows to change a passphrase for a repository. Please keep in mind that Vorta does not support every possible feature of borg.

If one were to use unique password for every repo, what would be a feasible system to manage them? Especially if you need to access them without having access to your local key store files. Do you need to make a separate backup of these?

I recommend to store all the necessary information in a password manager.
In new versions of Vorta you can "export current profile", which contains the required information (optional: including the passphrase) in a .json file. You can store this file in your password manager.

If you are interested in the requirements for recovery in a worst case scenario,please see the following discussion: #1921 (comment)

I hope this is helpful. :-)

[CouldBeThis]

Thanks! That makes it much clearer. I also read the other thread. It is a great idea to actually test out recovery.

I use the bitwarden password manager because I absolutely require sync.

It is great for strings like usernames and passwords which are organized by URL. But once you start needing to keep keys and other files like this json the workflow kind of breaks down. It is very easy to skip doing it, miss updating new information or even fail to find files which have been added.

It's really focused on website accounts and lacks sophisticated organization for other kinds of relationships. Like associating a password (which could change in some situations though not in this one it seems) with the name of a repo (which can also change). I've tried some of the keepass-type password managers and I'm not sure if they are much better for this?

I feel that there are a lot of ways to screw this up and not realize it until disaster strikes. I don't think the documentation is very clear.. I have been using vorta on and off for 3-4 years and I never even thought about it.

What you wrote above is a big improvement! I think all this should be thoroughly explained.

When creating/editing a repo on borgbase, under "Access" it says:

SSH keys are used to access the repository without a password.

Probably this is where I got confused. It sounds like the ssh key is enough. But if I understand, you are saying it is not. Unless encryption is turned off, but why would I do that. So I thought that as long as I have the borgbase username/password, I could always log into the website and add another key. That is wrong though? You still need the password for each specific repo in addition?

I wonder if there would be a way to "test" one's ability to recover from a backup without doing the whole procedure like you did in the other thread. On android, the seedvault backup tool has a way to verify that you have the correct "seed" passphrase. I find seedvault overly aggressive about this but something optional would be useful.

Or I wonder if it would make sense to make a special "recovery" vault, that has the other required information kept updated. Would that just defeat the security precautions? Perhaps there would be a way to separate them in some way. Like using a local backup target and explaining how to make an encrypted usb thumbdisk. Maybe Vorta could keep track of when it needs to be updated, verify it etc. Does that make sense? Possibly too complicated for a cross-platform tool given multiple filesystem formats available windows, mac and linux.

I don't really like the idea of a json file with complete backup access ever existing. :/ I think it can encourage people to do things like keep it on an unencrypted USB thumb drive, email it to themselves, upload to google drive, etc, because it is so important to have access to it. It's really easy to think you've deleted something but not properly do it especially on an unencrypted SSD. Or to have a file propagating across multiple devices without realizing it.

Another example from Android that might be worth looking at is aegis TOTP app. It has a very smooth feature that automatically creates encrypted backups in a specified location. Then you can use whatever sync/copy/backup/access method to keep a copy of it anywhere. You can export a plain text version of the file if you want, for example if you want to use a different application. But only manually. The encrypted option is the easy way.

If I understand properly, the vault password can never be changed. So for example, what if you knew for a fact that your passwords had been compromised? Would the best option be to delete the repos off the remote servers?

Or what if you realized you lost access to your passwords? You deleted your password manager or something. Is there any way to regain it or should you just delete everything and start from scratch?

[goebbe]

@CouldBeThis
It is important to understand that with Vorta/ borg there are two layers of encryption involved:

1. The encryption of the repository (i.e. the backup data itself). Normally the keyfile and passphrase are required to read / write to encrypted repositories.
2. The encryption of the file transfer to a remote server (i.e. ssh-transfer). A ssh-key is used (instead of a password) to access and transfer encrypted data to your backup-server.

In order to recover, the required information can be very different, depending on your use-case.
For example: If you just want to make sure that you can revert to recent (backed up) version of your files from your computer, there is no additional information required: You could just go to Vorta>Archives, mount the last archive and copy/ paste the required file. Since everything is already set up on you computer, no additional information is required. (no passphrase, no ssh-keys, no server address/ credentials.
If however you aim is to be able to make a "disaster recovery", e.g. since you lost your old computer, then you need all information necessary to setup Vorta on another computer in order to access your repository. In this case, you have to keep a copy of all required information on a save place, outside your lost computer.

The information requirements for restore depend heavily on your use case!

I agree, however, that when using Vorta, disaster-recovery is likely to be an important use case for many users. :-)

• Pointing the user to relevant documentation, after setting up Vorta could be a first step.
• Exporting encrypted .json files (by default) could be another enhancement. However, in this case you need yet another password to remember (in order to decrypt the .json files, when you need them) :-)

My general recommendation is: Save all required information in a password manager and keep a copy of the password vault at a save place outside your home/ computer.

By the way: You can change the passphrase of a repository using borg commands directly. However, setting up a new repository - and deleting the old repo is recommended if you have doubts about compromised borg-keys.
Note also that the borg-keys (keyfiles or repokeys) are a different thing than the associated passphrase. :-)

[CouldBeThis]

Relevant recent and open issues:

• Vorta should motivate the user to backup the repokey #1928
• add UI for borg key backup #1918