Tarsnap - Online backups for the truly paranoid

Navigation menu



     tarsnap-recrypt – re-encrypts data stored using tarsnap(1)


     tarsnap-recrypt --oldkey old-key-file --oldcachedir old-cache-dir
                     --newkey new-key-file --newcachedir new-cache-dir
     tarsnap-recrypt --version


     tarsnap-recrypt downloads and decrypts data using old-key-file and re-
     encrypts and uploads it using new-key-file.  After all the data has been
     re-uploaded, tarsnap-recrypt deletes the data using old-key-file so that
     the only remaining copy of the data is encrypted using new-key-file.  The
     key file new-key-file must have been generated by tarsnap-keyregen(1)
     with old-key-file.

     tarsnap-recrypt checkpoints its progress after every 1-2 GB of data that
     it has copied; if it is interrupted it can be re-run and it will attempt
     to continue.

     Note that after tarsnap-recrypt completes it will be possible to store
     more archives using the key old-key-file and the cache directory
     old-cache-dir so care should be taken to disable any automatic (e.g.,
     cron(8)) archiving while tarsnap-recrypt is run.

     The --version option prints the version number of tarsnap-recrypt, then


     The following sequence of commands will create new keys and re-encrypt
     data, assuming that the currently used keys are in /root/tarsnap.key and
     the current cache directory is /usr/local/tarsnap-cache:

           tarsnap-keyregen --keyfile /root/tarsnap.key.new --oldkey
           /root/tarsnap.key --user me@example.com --machine myserver

           tarsnap-recrypt --oldkey /root/tarsnap.key --oldcachedir
           /usr/local/tarsnap-cache --newkey /root/tarsnap.key.new
           --newcachedir /usr/local/tarsnap-cache.new

           rm -r /usr/local/tarsnap-cache

           mv /usr/local/tarsnap-cache.new /usr/local/tarsnap-cache

           rm /root/tarsnap.key

           mv /root/tarsnap.key.new /root/tarsnap.key