[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Are key privilege separation and backup rotation compatible?

On Sat, 18 Mar 2017 18:04:20 -0700, Colin Percival wrote:
> I'm not entirely sure what you mean here.  If your server has
> write+read keys, it will be able to run --fsck to regenerate the
> cache directory and it will be able to create new archives, but it
> will not be able to delete old archives.

Ah, I think I got turned around after reading a previous discussion.
This makes complete sense now. :-)

> Yes: After you do the "--fsck + delete old archives" elsewhere, copy
> the cache directory onto the write-keys-only server.

Oh! Of course. And that might even be better than giving the server
under backup r+w keys, since I'd need to run a fsck one way or another


 - Tim