[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Copy/migrate archives/history with a new key?

On 8/21/25 04:13, creed-january-twig@duck.com wrote:

Brought the archive count down to 31 from ~2000. Onwards to the re-crypt phase.


Also, the original/existing key was not *passworded*, can I generate the new key as ‘--passphrased’ and then proceed with the recrypt? I am asking because I believe to re-encrypt, ‘tarsnap-keyregen’ has to be used and the key is derived from the old key.


Correct.  To be more precise, the chunking parameters are kept from the old
key but everything else is generated anew.  (The chunking parameters need to
be kept so that new data will deduplicate against the copied data.)

This also raised the question - does it render the old key useless after the re-encryption is done, or both keys have access now?


I assume this will happen locally i.e old_arch data with old_key will be downloaded; and re-crypted into new_arch with new_key; and then uploaded; [old_arch deleted].

Is “re-crypt done local” assumption mentioned above correct? If so:


Yes, that is correct.


1. Is there a way to “exclude” some paths/files while doing this re-crypt since they will happen locally anyway (if my assumption above is not incorrect; or maybe otherwise as well, if that’s possible)?


No.  The recrypt is done on a per-data-block basis and at that level tarsnap
doesn't have any understanding of what files the blocks are associated with.


If not a direct “re-crypt with excludes” cmd/arg way, then can I achieve what I am trying to do in any other way/workaround?

2. Can I also change archive naming while doing this re-crypt? (I am only interested in changing the hostname part i.e the label (?) before the time stamp - to keep a streamlined naming from now and onwards). Just in case.


The best approach here is to do filtering on the old system before you
download and re-encrypt everything.  You can run

# tarsnap -c -f newarchive --exclude foo @@oldarchive

to create an archive with a new name consisting of a filtered subset of the
contents of an existing archive.  That will both give you the new name and
take care of the exclusions you want.  (But be careful with --exclude, the
parsing rules for it are nontrivial and it's easy to not do what you intend.)
In particular, the @@oldarchive mechanism allows tarsnap to add references to
blocks without downloading them.

After you have a new archive with the files you want, you can delete the old
archive; and then the recrypt will only have to download/re-encrypt/upload the
data you want to keep.


As an aide OR a long-shot - any suggested way to find versions available of certain folders and files by path across those 30 odd archives? Basically what I am trying achieve is not leave any data I know for sure I will never need and since I kinda dug deeper anyway, I wouldn’t mind digging a bit deeper.


Best approach here is probably something like
tarsnap --list-archives | while read A; do
    tarsnap -tvf "$A" > "$A.contents"
done
and look at those files offline.

--
Colin Percival
FreeBSD Release Engineering Lead & EC2 platform maintainer
Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid