You can create limited keys with https://www.tarsnap.com/man-tarsnap-keymgmt.1.html which can only perform some operations if you are concerned about e.g. an attacker deleting your backups after exploiting a security hole on the box you backup.
I haven't tried it myself though so I don't know the details. Matthias Hörmann On Fri, Feb 14, 2014 at 7:43 PM, Joshua Kolash <[email protected]>wrote: > Curious Question for people who use tarsnap for automated backups. > > I assume most people just have the keyfile as unencrypted, as it doesn't > require any prompting. > > Does anyone keep the keyfile encrypted and have automated backups? > > I'm imagining the following server setup. > > Have a BackupBox with the encrypted keyfile and the backup contents. > > Have a PasswordBox with the password to the keyfile and have the > PasswordBox simply ssh into the BackupBox and enter the password into > tarsnap on a regular basis. The PasswordBox can then be sealed off except > for re-initializing the password and ssh schedule. In effect it is like > having a single purpose ssh-agent that lasts forever for narrowly defined > tasks. > > Does anyone do anything like this? Or is this needless complexity for > little if any security gain? You still need to trust BackupBox to not be > evil. > > As I want automated backups I think the only point to encrypting the > keyfile would be for the printed paper backup. >
