.\" generated with Ronn-NG/v0.9.1
.\" http://github.com/apjanke/ronn-ng/tree/0.9.1
.SH "SYNOPSIS"
Generate a bupstash sub key with lesser encryption and decryption capabilities\.
.P
\fBbupstash new\-sub\-key \-k KEY \-o SUB_KEY\fR
.SH "DESCRIPTION"
\fBbupstash new\-sub\-key\fR creates a new bupstash key capable of a subset of the encryption and decryption operations of the main key\.
.P
Capabilities are any of \'put\', \'list\' and \'list\-contents\'\. \'put\' keys can create new backups but not decrypt data, \'list\' keys can decrypt tags and other metadata, while \'list\-contents\' keys can decrypt the contents of items created by \'bupstash put\'\.
.P
A typical use of a list only key would be to allow a cron job to rotate old backups by their search tags, without exposing the data decryption key\.
.P
The generated key will be marked readable only for the creating user\.
.P
If a sub\-key is lost, the original key will still be able to decrypt any data in the repository encrypted by that sub\-key\.
.P
\fINOTE\fR: decryption differs from access \- An attacker may still delete data by simply deleting the items or files they have access to\. Use bupstash\-serve(1) access controls to restrict which operations a user can perform and prevent unauthorized deletion of data\. This can be done via an ssh authorized_keys file, or through mechanisms such as \fBsudo\fR or \fBdoas\fR configuration\.
.SH "OPTIONS"
.TP
\-k, \-\-key PATH
Key to derive the new sub\-key from\.
.TP
\-o, \-\-output PATH
Path to where the sub\-key will be written\.
.TP
\-\-put
The key is able to encrypt data for \'put\' operations\.
.TP
\-\-list
The key will be able to decrypt metadata and perform queries\.
.TP
\-\-list\-contents
The key will be able to list item contents with \'list\-contents\' (implies \-\-list)\.
.SH "EXAMPLES"
.SS "Create a new put only key"
\fB$ bupstash new\-sub\-key \-\-put \-k backups\.key \-o \./put\.key $ bupstash put \-k \./backups\-put\.key \./data\fR
.SS "Create a new listing key"
\fB$ bupstash new\-sub\-key \-k \./backups\.key \-o \./list\.key \-\-list $ bupstash list \-k \./list\.key\fR
.SS "Create a new content listing key"
\fB$ bupstash new\-sub\-key \-k \./backups\.key \-o \./list\-contents\.key \-\-list\-contents $ bupstash list\-contents \-k \./list\-contents\.key name=some\-backup\.tar\fR
.SH "SEE ALSO"
bupstash(1), bupstash\-keyfiles(7)