Re: tarsnap-keyregen

[Colin Percival <cperciva@tarsnap.com>]

On 02/08/11 08:16, Gabriel Kerneis wrote:
> On Tue, Feb 08, 2011 at 07:39:24AM -0800, Colin Percival wrote:
>> Tarsnap has some keys which need to stay the same when re-encrypting data;
>> for example, there is a key used for mapping archive names to the 256-bit
>> names which identify metadata blocks.  If this key is changed, Tarsnap won't
>> be able to read archives since it won't be able to find the right metadata
>> blocks.
> 
> Sorry, I still don’t get it.  Since tarsnap-recrypt knows both old and
> new key, couldn’t it use the old one to read them?

The tarsnap-recrypt utility works on a block-by-block basis; it isn't aware of
the higher-level archives built out of those blocks.

> My real issue, in fact, is why (beyond conveniency) use tarsnap-recrypt
> instead of registering a new machine using tarsnap-keygen, retrieving and
> re-uploading their data using two pipelined plain tarsnap instances, and
> then deleting the old data by running tarsnap --nuke with the old keys?

If you have several archives which contain the same data, running several
instances of 'tarsnap -r | tarsnap -c @-' will result in you downloading the
shared blocks several times, whereas tarsnap-recrypt will only download each
(deduplicated) block of data once.

-- 
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid