borg-serve - Start in server mode. This command is usually not used manually.
borg [common options] serve [options]
This command starts a repository server process. This command is usually not
for common options of Borg commands.
- --restrict-to-path PATH
- restrict repository access to PATH. Can be specified
multiple times to allow the client access to several directories. Access
to all sub-directories is granted implicitly; PATH doesn't need to
directly point to a repository.
- --restrict-to-repository PATH
- restrict repository access. Only the repository located at
PATH (no sub-directories are considered) is accessible. Can be specified
multiple times to allow the client access to several repositories. Unlike
--restrict-to-path sub-directories are not accessible; PATH needs
to directly point at a repository location. PATH may be an empty directory
or the last element of PATH may not exist, in which case the client may
initialize a repository there.
- only allow appending to repository segment files
- --storage-quota QUOTA
- Override storage quota of the repository (e.g. 5G, 1.5T).
When a new repository is initialized, sets the storage quota on the new
repository as well. Default: no quota.
borg serve has special support for ssh forced commands (see
example below): it will detect that you use such a
forced command and extract the value of the --restrict-to-path
It will then parse the original command that came from the client, makes sure
that it is also borg serve
and enforce path restriction(s) as given by
the forced command. That way, other options given by the client (like
) are preserved (and are not fixed by the
Environment variables (such as BORG_HOSTNAME_IS_UNIQUE) contained in the
original command sent by the client are not
interpreted, but ignored.
If BORG_XXX environment variables should be set on the borg serve
then these must be set in system-specific locations like
or in the forced command itself (example below).
# Allow an SSH keypair to only run borg, and only have access to /path/to/repo.
# Use key options to disable unneeded and potentially dangerous SSH functionality.
# This will help to secure an automated remote backup system.
$ cat ~/.ssh/authorized_keys
command="borg serve --restrict-to-path /path/to/repo",restrict ssh-rsa AAAAB3[...]
# Set a BORG_XXX environment variable on the "borg serve" side
$ cat ~/.ssh/authorized_keys
command="export BORG_XXX=value; borg serve [...]",restrict ssh-rsa [...]
The examples above use the restrict
directive. This does automatically block potential dangerous ssh features,
even when they are added in a future update. Thus, this option should be
If you're using openssh-server < 7.2, however, you have to explicitly specify
the ssh features to restrict and cannot simply use the restrict option as it
has been introduced in v7.2. We recommend to use
in this case.
The Borg Collective