On 03/19/14 17:13, Richard Collins wrote: > I have been using tarsnap for a few months now and am finally getting around > to > automating deletion of old archives. > > On the server being backed up I have a write-only key which is used for the > regular backups. It would be nice if after doing a backup, the backup script > could delete archives older than say 3 months. This would require a delete key > to be on the server being backed up. > > However this seems to defeat the purpose of privilege separation. What if an > attacker gains access to the server, uses the delete key to delete all the > backups, then deletes everything on the server. > > Have I missed something and it is possible to automate deletion of old > archives > from the server being backed up without a key that could be used to delete all > the backups?
What you're asking for isn't possible, because the Tarsnap service doesn't know what an "archive" is. All the service knows about is blocks of storage -- the process of taking a stream of bytes and splitting it into blocks and removing the duplicate blocks is all done in the tarsnap client. As a result, while I could theoretically have keys which could only delete *blocks* which are more than 3 months old, that wouldn't do you any good -- since an archive you create today will probably be using some of those 3+ month old blocks. There's two common ways people deal with this: 1. Have a passphrase-protected key file with the delete key, and periodically log in to your server and enter the passphrase to launch a round of deletes. 2. Have the delete key on a different server and use the --fsck operation to reconstruct the cache directory as needed (since you need to have an up to date cache directory in order to create or delete archives). If you go back through the mailing list archives you'll find a few discussion threads about this. -- Colin Percival Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid
