Password-protected key files
pjlsergeant opened this issue · comments
I've run the setup wizard, which executes and hangs on:
usr/local/bin//tarsnap --fsck-prune --keyfile /Users/asdf/.tarsnap --cachedir /Users/asdf/Library/Caches/Tarsnap Backup Inc./Tarsnap
/Users/asdf/.tarsnap
is password-protected, and I have copy-pasted it from a secure storage space.
Running the command manually prompts me for a password, and indeed if I kill
the process, Tarsnap-gui displays:
tarsnap: Cannot read password: Interrupted system call
tarsnap: Error reading passphrase
tarsnap: Cannot read key file: /Users/asdf/.tarsnap
How is this intended to work?
Working with password protected keyfiles is not supported in Tarsnap GUI mainly because there is no safe cross-platform method to store/retrieve/handle the password. Implementing it without storing the password, thus reducing the attack vector to a minimum, is not ideal either, having to type it for every operation does not make the GUI more usable in any way.
My recommendation for best practice is to use a new keyfile for backups with the GUI for every new machine (virtual or physical). If you really have to use the old key, say, you already have loads of TB of data backed up and can't afford to go from scratch for various reasons, you can use the tarsnap-keymgmt
tool to generate a non-password protected key derivate from the original one and use that in the GUI.