Curious Question for people who use tarsnap for automated backups.
I assume most people just have the keyfile as unencrypted, as it doesn't require any prompting.
Does anyone keep the keyfile encrypted and have automated backups?
I'm imagining the following server setup.
Have a BackupBox with the encrypted keyfile and the backup contents.
Have a PasswordBox with the password to the keyfile and have the PasswordBox simply ssh into the BackupBox and enter the password into tarsnap on a regular basis. The PasswordBox can then be sealed off except for re-initializing the password and ssh schedule. In effect it is like having a single purpose ssh-agent that lasts forever for narrowly defined tasks.
Does anyone do anything like this? Or is this needless complexity for little if any security gain? You still need to trust BackupBox to not be evil.
As I want automated backups I think the only point to encrypting the keyfile would be for the printed paper backup.