Thanks, This seems to satisfy my use-case. It seems like I can have the master key encrypted and the -w key be unencrypted.
On Fri, Feb 14, 2014 at 1:48 PM, Matthias Hörmann <[email protected]>wrote: > You can create limited keys with > https://www.tarsnap.com/man-tarsnap-keymgmt.1.html > which can only perform some operations if you are concerned about e.g. an > attacker > deleting your backups after exploiting a security hole on the box you > backup. > > I haven't tried it myself though so I don't know the details. > > Matthias Hörmann > > > On Fri, Feb 14, 2014 at 7:43 PM, Joshua Kolash <[email protected]>wrote: > >> Curious Question for people who use tarsnap for automated backups. >> >> I assume most people just have the keyfile as unencrypted, as it doesn't >> require any prompting. >> >> Does anyone keep the keyfile encrypted and have automated backups? >> >> I'm imagining the following server setup. >> >> Have a BackupBox with the encrypted keyfile and the backup contents. >> >> Have a PasswordBox with the password to the keyfile and have the >> PasswordBox simply ssh into the BackupBox and enter the password into >> tarsnap on a regular basis. The PasswordBox can then be sealed off except >> for re-initializing the password and ssh schedule. In effect it is like >> having a single purpose ssh-agent that lasts forever for narrowly defined >> tasks. >> >> Does anyone do anything like this? Or is this needless complexity for >> little if any security gain? You still need to trust BackupBox to not be >> evil. >> >> As I want automated backups I think the only point to encrypting the >> keyfile would be for the printed paper backup. >> > >
