Thanks Colin, I’ll reach out once it's done.
I have ~2000 archives. I likely skipped pruning planning when setting up tarsnap-gui (haven’t reinstalled it on my reset Mac, so not sure if it even supported pruning). I don’t want to keep this many archives — and even re-encryption won’t be fast with so many, even if each archive is small.
I saw '--fsck-prune' but it’s not what I thought.
Is there a simple way to delete all except something like — hourly:10 daily:7 weekly:6 monthly:12 yearly:5?
I have 'tarsnap --list-archives | sort' saved (can add '-v' if needed), and since all archive names end in '%Y-%m-%d_%H-%M-%S', I can script something or use an LLM to pick which to keep.
I found https://mail.tarsnap.com/tarsnap-users/msg01678.html and had seen the helper scripts section already. So Tarsnapper is available on homebrew luckily, because couldn’t make prunef ‘make install’ happen.
But then Tarsnapper uses some retention scheme (i.e deltas) in such a way that I guess I can only use days. So it doesn't work:
[tarsnapper’s config.yml]:
jobs:
prune:
target: "{date}"
dateformat: "%Y-%m-%d_%H-%M-%S"
deltas: 10h 7d 6w 12m 5y
[and then (I will remove dry-run after checking once)]:
tarsnapper -c ~/.config/tarsnapper/config.yaml expire --dry-run
results in:
> tarsnapper.config.ConfigError: Not a valid delta: 12m
PS. Any easy way to search across https://mail.tarsnap.com/tarsnap-users, other than opening every link one by one?
> On 15 Aug 2025, at 3:07 AM, Colin Percival <cperciva_at_tarsnap.com_creed-january-twig@duck.com> wrote:
>
> On 8/14/25 11:04, creed-january-twig@duck.com wrote:
>> I *have to* change my tarsnap key (or rather, stop using the old key).
>> I see this https://www.tarsnap.com/tips.html#copy-archive as well but I don’t really understand what it is and what it does - but I don’t see a key mentioned in the command so I guess not like “restic copy”.
>
> Right, that's for copying one archive, using the same keys and within the
> same archival space.
>
>> This https://www.tarsnap.com/man-tarsnap-recrypt.1.html seems to be the only way, right?
>
> Yes. That creates a new archival space, copies everything across, and then
> deletes the old copy.
>
>> Also, the original/existing key was not *passworded*, can I generate the new key as ‘--passphrased’ and then proceed with the recrypt? I am asking because I believe to re-encrypt, ‘tarsnap-keyregen’ has to be used and the key is derived from the old key.
>
> Correct. To be more precise, the chunking parameters are kept from the old
> key but everything else is generated anew. (The chunking parameters need to
> be kept so that new data will deduplicate against the copied data.)
>> This also raised the question - does it render the old key useless after the re-encryption is done, or both keys have access now?
>
> Both keys will work but they'll access different archival spaces (and the
> old keys will point to an archival space with no archives after recrypt
> deletes everything using the old keys).
>
> If this is a "keys were stolen" scenario then let me know and I can disable
> the old keys.
>
> --
> Colin Percival
> FreeBSD Release Engineering Lead & EC2 platform maintainer
> Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid
>