Rekey

Changes the backup encryption key:

$ hb rekey -c backupdir [-k key] [-p ask/env]

Typically, the -k option is not used and a new random key is generated. This is more secure than specifying a key but it also requires that you store the key in a safe place.

Use -k to specify your own encryption key, for example, -k 'my new key'. The quotes are required if the key contains spaces or other special characters.

To set a blank key, use -k '' (two single quotes). With a blank key, your backup is still encrypted, but anyone with access to your backup files could run HashBackup and restore your data by creating a blank key file.

Use the -p option to set a passphrase. The passphrase protects your key in situations where others may have access to your key.conf file or the key and backup are stored together. Examples are:

  • you rent a VPS (Virtual Private Server)

  • others administer your server

  • your backup is written directly (with -c) to remote storage such as Google Drive or Dropbox.

See the Init command for more information about passphrases. To remove a passphrase, use rekey without -p; you will still be asked for the old passphrase.

The rekey command can be used to create multiple backups with a common key. See the Init command page for details.

After changing the key, the old key file is renamed to key.conf.orig and the rekeyed database is uploaded to all enabled destinations in dest.conf. It is important to keep the key.conf.orig file at least until the rekeyed database is uploaded to all remote destinations.