If I understand tarsnap from previous posts correctly, there seem to be various keys, e.g. for sending data, for deleting data, for listing data.
Coming back to my previous suggestion to bring the security level more in accordance with the philosophy adhered to by the Qubes-OS designers at qubes-os.org, i.e.: 'do not leave your secret passphrases/-words on a net-connected computer of VM', I would suggest to look into the possibility of a command line option which would allow users to paste the required part of the key file in the terminal when needed. If that would be possible, I could store my keyfile (or -files, as I think them keys would preferably be stored in separate files) on a 'Vault-VM' which has no physical connection to the internet as it is 'perfectly isolated' using Intel's VT-d and VT-x processor features and thanks to Qubes-OS's design (and hopefully implementation). Then, when invoking tarsnap with the --paste-keys (or whatever) option, I could be queried for the appropriate key (for writing, reading, deleting) whenever needed and copy/paste it from the Vault-VM into the VM's terminal running tarsnap at that moment. The (part of the) keyfile would then only reside in RAM during the time that tarsnap is running (and does it really need to stay there all the time?), making it more difficult for hackers to catch it. Impossible? Or even nonsense talk? I'm not such a 'code reader' that I can easily find this myself in 'the source code', and maybe someone has enough knowledge of the inner workings to find it easy to answer this question. And please, after Snowden's publications, don't call me 'truly paranoid' anymore. 'Truly realistic' would be more appropriate ;-) .