Generate a bupstash sub key with lesser encryption and decryption capabilities.

bupstash new-sub-key -k KEY -o SUB_KEY


bupstash new-sub-key creates a new bupstash key capable of a subset of the encryption and decryption operations of the main key.

Capabilities are any of 'put', 'list' and 'list-contents'. 'put' keys can create new backups but not decrypt data, 'list' keys can decrypt tags and other metadata, while 'list-contents' keys can decrypt the contents of items created by 'bupstash put'.

A typical use of a list only key would be to allow a cron job to rotate old backups by their search tags, without exposing the data decryption key.

The generated key will be marked readable only for the creating user.

If a sub-key is lost, the original key will still be able to decrypt any data in the repository encrypted by that sub-key.

NOTE: decryption differs from access - An attacker may still delete data by simply deleting the items or files they have access to. Use bupstash-serve access controls to restrict which operations a user can perform and prevent unauthorized deletion of data. This can be done via an ssh authorized_keys file, or through mechanisms such as sudo or doas configuration.


-k, --key PATH
Key to derive the new sub-key from.
-o, --output PATH
Path to where the sub-key will be written.
The key is able to encrypt data for 'put' operations.
The key will be able to decrypt metadata and perform queries.
The key will be able to list item contents with 'list-contents' (implies --list).


Create a new put only key

$ bupstash new-sub-key --put -k backups.key -o ./put.key
$ bupstash put -k ./backups-put.key ./data

Create a new listing key

$ bupstash new-sub-key -k ./backups.key -o ./list.key --list
$ bupstash list -k ./list.key

Create a new content listing key

$ bupstash new-sub-key -k ./backups.key -o ./list-contents.key --list-contents
$ bupstash list-contents -k ./list-contents.key name=some-backup.tar


bupstash, bupstash-keyfiles