On 03/18/17 17:45, Tim McCormack wrote: > - Put a passphrased copy of the full key on the server and periodically > SSH in to run deletions (no automated rotation)
Anecdotally, it seems that a lot of people do this; but you're quite right about the risk given a Sufficiently Malicious Attacker. (Note however that at a certain point having a Sufficiently Malicious Attacker means that you have lost anyway: They could replace the tarsnap binary with one creating archives full of garbage, and then wait for all your older archives to be rotated away.) > - Add the 'read' capability to my server's tarsnap key (this would > still allow destruction of my backup history, right?) I'm not entirely sure what you mean here. If your server has write+read keys, it will be able to run --fsck to regenerate the cache directory and it will be able to create new archives, but it will not be able to delete old archives. > Is there another option? Yes: After you do the "--fsck + delete old archives" elsewhere, copy the cache directory onto the write-keys-only server. -- Colin Percival Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid