Are key privilege separation and backup rotation compatible?

[Tim McCormack <cortex@brainonfire.net>]

I recently set up tarsnap on a server with a write-only key, taking
nightly backups. The full key lives elsewhere. This worked great until
I used my full key to delete an older test archive; subsequently, the
backup started failing with complaints of "Sequence number mismatch:
Run --fsck".

I can't run --fsck from the server since it has a write-only key, and
--fsck requires either delete or read+write. Here are my options as I
understand it:

- Put a passphrased copy of the full key on the server and periodically
  SSH in to run deletions (no automated rotation)
- Add the 'read' capability to my server's tarsnap key (this would
  still allow destruction of my backup history, right?)
- Periodically shut down the server, boot from clean USB stick, mount
  cache dir, and run deletions.

My concern is of course that an attacker who wipes out the server could
also wipe out the backups. I figure that if they can do that, they
already have root, so in Option 1 a sufficiently malicious attacker
could wait until I SSH in next and grab the passphrase. In Option 2,
they can (I *think*) trash the history without even waiting. (Option 3
is there for completeness.)

Is there another option? I'm not sure I should (personally) even be
worried about that Sufficiently Malicious Attacker, but it would be
nice to have that squared away too.

 - Tim McCormack