PSA: Removing support for old and deprecated encryption algorithms

Next version of Kopia will remove some very old and deprecated encryption algorithms Removed algorithms were hidden and not available for new repositories since v0.6:

  • NONE - unencrypted format
  • AES-128-CTR
  • AES-192-CTR
  • AES-256-CTR
  • SALSA20
  • SALSA20-HMAC

The only two encryption algorithms going forward will be using AEAD:

  • AES256-GCM-HMAC-SHA256
  • CHACHA20-POLY1305-HMAC-SHA256

If you have one of the repositories using formats that were removed, it’s recommended to create new repository using one of the modern formats with kopia v0.8.1 and migrate data using:

$ kopia snapshot migrate ...

To check the repository format you currently are using:

$ kopia repository status

While we’re on this topic… just pretend someone has a 54TB repo and wanted to migrate that repo due to a the deprecation of this encryption algorithm… well, not me, so that’s a relief for me at least :wink: However, such a migration will take quite some time and I am wondering if the source repo needs to be idle while its being migrated, or if this migration can be performed incrementally?

2 Likes

Source repo in this case does not need to be idle and migration is incremental.

The number of folks affected by this should be relatively small - those are repositories created a year ago or more back when Kopia was much slower than it is today and did not have some key safety features and it had some data integrity bugs. I personally don’t have any of those old repositories anymore.

1 Like

Great - that’s good to know. Just in case anyone is wondering the same thing.