tarsnap/recrypt/tarsnap-recrypt.1-mdoc

.\" Copyright 2011-2025 Tarsnap Backup Inc.
.\" All rights reserved.
.\"
.Dd @DATE@
.Dt TARSNAP-RECRYPT 1
.Os
.Sh NAME
.Nm tarsnap-recrypt
.Nd re-encrypts data stored using
.Xr tarsnap 1
.Sh SYNOPSIS
.Nm
.Fl -oldkey Ar old-key-file
.Fl -oldcachedir Ar old-cache-dir
.Fl -newkey Ar new-key-file
.Fl -newcachedir Ar new-cache-dir
.Nm
.Fl -version
.Sh DESCRIPTION
.Nm
downloads and decrypts data using
.Ar old-key-file
and re-encrypts and uploads it using
.Ar new-key-file .
After all the data has been re-uploaded,
.Nm
deletes the data using
.Ar old-key-file
so that the only remaining copy of the data
is encrypted using
.Ar new-key-file .
The key file
.Ar new-key-file
must have been generated by
.Xr tarsnap-keyregen 1
with
.Ar old-key-file .
.Pp
.Nm
checkpoints its progress after every 1-2 GB of data that it has
copied; if it is interrupted it can be re-run and it will
attempt to continue.
.Pp
Note that after
.Nm
completes it will be possible to store more archives using the key
.Ar old-key-file
and the cache directory
.Ar old-cache-dir
so care should be taken to disable any automatic (e.g.,
.Xr cron 8 )
archiving while
.Nm
is run.
.Pp
The
.Fl -version
option prints the version number of
.Nm ,
then exits.
.Sh EXAMPLES
The following sequence of commands will create new keys and re-encrypt
data, assuming that the currently used keys are in
.Pa /root/tarsnap.key
and the current cache directory is
.Pa /usr/local/tarsnap-cache :
.Pp
.Dl Cm tarsnap-keyregen Fl -keyfile Pa /root/tarsnap.key.new Fl -oldkey Pa /root/tarsnap.key Fl -user Ar me@example.com Fl -machine Ar myserver
.Pp
.Dl Nm Fl -oldkey Pa /root/tarsnap.key Fl -oldcachedir Pa /usr/local/tarsnap-cache Fl -newkey Pa /root/tarsnap.key.new Fl -newcachedir Pa /usr/local/tarsnap-cache.new
.Pp
.Dl Cm rm Fl r Pa /usr/local/tarsnap-cache
.Pp
.Dl Cm mv Pa /usr/local/tarsnap-cache.new Pa /usr/local/tarsnap-cache
.Pp
.Dl Cm rm Pa /root/tarsnap.key
.Pp
.Dl Cm mv Pa /root/tarsnap.key.new Pa /root/tarsnap.key