I have been using tarsnap for a few months now and am finally getting around to automating deletion of old archives.
On the server being backed up I have a write-only key which is used for the regular backups. It would be nice if after doing a backup, the backup script could delete archives older than say 3 months. This would require a delete key to be on the server being backed up.
However this seems to defeat the purpose of privilege separation. What if an attacker gains access to the server, uses the delete key to delete all the backups, then deletes everything on the server.
Have I missed something and it is possible to automate deletion of old archives from the server being backed up without a key that could be used to delete all the backups?
If not I think this would be a great feature.