tarsnap-keymgmt – generate subsets of tarsnap(1) key files
tarsnap-keymgmt --outkeyfile new-key-file [-r] [-w] [-d] [--nuke] [--passphrased] [--passphrase-mem maxmem] [--passphrase-time maxtime] key-file ... tarsnap-keymgmt --print-key-id key-file tarsnap-keymgmt --print-key-permissions key-file tarsnap-keymgmt --version
tarsnap-keymgmt reads the provided key files and writes a new key file (specified by --outkeyfile new-key-file) containing only the keys required for the operations specified via the -r (list and extract archives), -w (write archives), -d (delete archives), and --nuke flags. Note that -d implies -r since it is impossible to delete an individual archive without being able to read it; while a key file generated with --nuke can be used to delete all the archives stored, but not individual archives. The following list shows which permissions are required for various tarsnap(1) command modes. --recover requires either (1) -d (archive deleting), (2) -w (archive creating), or (3) --nuke keys. --fsck requires either (1) both -w (archive writing) and -r (archive reading) keys, or (2) -d (archive deleting) keys. --fsck-prune requires -d (archive deleting) keys, since it needs to be able to delete corrupted archives. If the --passphrased option is specified, the user will be prompted to enter a passphrase (twice) to be used to encrypt the key file. If the --passphrase-mem maxmem option is specified, a maximum of maxmem bytes of RAM will be used in the scrypt key derivation function to encrypt the key file; it may be necessary to set this option if a key file is being created on a system with far more RAM than the system on which the key file will be used. If the --passphrase-time maxtime option is specified, a maximum of approximately maxtime seconds will be used in the scrypt key derivation function to encrypt the key file. Note that if none of the -w, -r, -d, or --nuke options are specified, a key file will be produced which does not contain any keys. This is probably not very useful. The --print-key-id key-file option displays the 64-bit integer corresponding to the key's machine number. This may be useful for scripts or GUIs which manage a user's Tarsnap account, but is not likely to be helpful for command-line use. The --print-key-permissions key-file option displays the permissions which the key possesses. The --version option prints the version number of tarsnap-keymgmt, then exits.