tarsnap-keymgmt reads the provided key files and writes a new key file (specified by
--outkeyfile new-key-file) containing only the keys required for the operations specified via the
-r (list and extract archives),
-w (write archives),
-d (delete archives), and
--nuke flags. Note that
-r since it is impossible to delete an individual archive without being able to read it; while a key file generated with
--nuke can be used to delete all the archives stored, but not individual archives.
The following list shows which permissions are required for various tarsnap(1) command modes.
requires either (1)
-d(archive deleting), (2)
-w(archive creating), or (3)
requires either (1) both
-w(archive writing) and
-r(archive reading) keys, or (2)
-d(archive deleting) keys.
-d(archive deleting) keys, since it needs to be able to delete corrupted archives.
--passphrased option is specified, the user will be prompted to enter a passphrase (twice) to be used to encrypt the key file.
--passphrase-mem maxmem option is specified, a maximum of maxmem bytes of RAM will be used in the scrypt key derivation function to encrypt the key file; it may be necessary to set this option if a key file is being created on a system with far more RAM than the system on which the key file will be used.
--passphrase-time maxtime option is specified, a maximum of approximately maxtime seconds will be used in the scrypt key derivation function to encrypt the key file.
Note that if none of the
--nuke options are specified, a key file will be produced which does not contain any keys. This is probably not very useful.
--print-key-id key-file option displays the 64-bit integer corresponding to the key's machine number. This may be useful for scripts or GUIs which manage a user's Tarsnap account, but is not likely to be helpful for command-line use.
--print-key-permissions key-file option displays the permissions which the key possesses.
--version option prints the version number of tarsnap-keymgmt, then exits.