cloning repository to untrusted server including keyfile still secure?

[Simerax]

I'm currently setting up my first borg backup repository and I'm unsure about how to handle the keyfile.

I initalized my repository with --encryption repokey on my local NAS.
Backing up my local machine to this repository works fine.

Since my local machine and NAS are in the same network/close proximity I want to have an offsite backup. For this im renting a server from some company (The bottom line is I don't trust them and don't have full control over this external server).

My plan is to clone my repository (on the NAS) to this external server every night.

Now to my actual question:

The repository on the NAS contains the key in the config file.
The FAQ says the following:

You also MUST keep these files secret; everyone who gains access to your repository and has the corresponding keyfile (and the key passphrase) can extract it.

If I understand correctly its not a problem to have this keyfile on an untrusted server as long as the passphrase is kept secret, correct?

Im unsure because the FAQ says You also MUST keep these files secret; and I don't know if not keeping the keyfile secret completely undermines the encryption or if it makes theoretical attacks possible or if it does not matter.

[ThomasWaldmann]

Hmm, maybe the docs are a bit too alarming there.

The borg create docs cover the key security (btw, there is also some stuff about copying repos in the FAQ).

The key is encrypted, so having only the key is not useful, you can only decrypt it with the passphrase. Of course you need to use a good, not guessable, long enough passphrase.

[Simerax]

Thanks for the clarification!