Tarsnap - Online backups for the truly paranoid

Navigation menu



     tarsnap-keymgmt -- generate subsets of tarsnap(1) key files


     tarsnap-keymgmt --outkeyfile new-key-file [-r] [-w] [-d] [--nuke]
                     [--passphrased] [--passphrase-mem maxmem]
                     [--passphrase-time maxtime] key-file ...
     tarsnap-keymgmt --print-key-id key-file
     tarsnap-keymgmt --print-key-permissions key-file
     tarsnap-keymgmt --version


     tarsnap-keymgmt reads the provided key files and writes a new key file
     containing only the keys required for the operations specified via the -r
     (list and extract archives), -w (write archives), -d (delete archives),
     and --nuke flags.  Note that -d implies -r since it is impossible to
     delete an individual archive without being able to read it; while a key
     file generated with --nuke can be used to delete all the archives stored,
     but not individual archives.

     The --recover command requires either (1) -d (archive deleting), (2) -w
     (archive creating), or (3) --nuke keys.  The --fsck command requires
     either (1) both -w (archive writing) and -r (archive reading) keys, or
     (2) -d (archive deleting) keys.  The --fsck-prune command requires -d
     (archive deleting) keys, since it needs to be able to delete corrupted

     If the --passphrased option is specified, the user will be prompted to
     enter a passphrase (twice) to be used to encrypt the key file.

     If the --passphrase-mem maxmem option is specified, a maximum of maxmem
     bytes of RAM will be used in the scrypt key derivation function to
     encrypt the key file; it may be necessary to set this option if a key
     file is being created on a system with far more RAM than the system on
     which the key file will be used.

     If the --passphrase-time maxtime option is specified, a maximum of
     approximately maxtime seconds will be used in the scrypt key derivation
     function to encrypt the key file.

     Note that if none of the -w, -r, -d, or --nuke options are specified, a
     key file will be produced which does not contain any keys.  This is prob-
     ably not very useful.