borg2 / N+1: remove pbkdf2 keys?

[ThomasWaldmann]

we have argon2 kdf now, is there any reason to keep pbkdf2 for keys of new repos?

borg 2.0 still needs to support such keys to read old repos, but N+1 could remove it.

Also, it could be removed immediately from borg key change-algorithm.

[ThomasWaldmann]

@hexagonrecursion @enkore any opinion?

[ThomasWaldmann]

borg key change-algorithm was already removed, some remainders also removed in PR #6962.

[dragetd]

I a bit confused: Does this mean Borg allows keys derived from the passphrase? Which I would very much love, to be honest. Makes the setup less complicated (no need to backup the key separately).

Of course security is reduced to the password security, but that is a worth tradeoff if done by an educated user.

[infectormp]

@dragetd You still can use passphrase (repokey)

[ThomasWaldmann]

@dragetd attic and ancient versions of borg supported key material directly derived from the passphrase.

We removed that long ago because that means you could never change the passphrase. And that means your repo never can be safe again when your passphrase is disclosed - even if you noticed that before any attack.

But this is not the topic of this issue.

borg 1.x uses pbkdf2 as a kdf for repokey and keyfile. pbkdf2 is an older algorithm than argon2 and potentially less safe.

after everybody has switched to borg2 repos (argon2 kdf keys) and is finished with transferring archives from borg1 repos (pbkdf2 kdf keys), we do not need to support borg1 keys (with pbkdf2) any more.