I recently set up tarsnap on a server with a write-only key, taking nightly backups. The full key lives elsewhere. This worked great until I used my full key to delete an older test archive; subsequently, the backup started failing with complaints of "Sequence number mismatch: Run --fsck".
I can't run --fsck from the server since it has a write-only key, and --fsck requires either delete or read+write. Here are my options as I understand it: - Put a passphrased copy of the full key on the server and periodically SSH in to run deletions (no automated rotation) - Add the 'read' capability to my server's tarsnap key (this would still allow destruction of my backup history, right?) - Periodically shut down the server, boot from clean USB stick, mount cache dir, and run deletions. My concern is of course that an attacker who wipes out the server could also wipe out the backups. I figure that if they can do that, they already have root, so in Option 1 a sufficiently malicious attacker could wait until I SSH in next and grab the passphrase. In Option 2, they can (I *think*) trash the history without even waiting. (Option 3 is there for completeness.) Is there another option? I'm not sure I should (personally) even be worried about that Sufficiently Malicious Attacker, but it would be nice to have that squared away too. - Tim McCormack