add another hash to the borg key?

[ThomasWaldmann]

When looking at #8035, i noticed borg does an hmac check on the decrypted key.

But to get that, it uses the key derived from the user's passphrase and the encrypted key material from the borg key file.

If the hmac check fails:

• it could be a wrong passphrase fed into the kdf leading to a wrong key decryption key
• it could be wrong encrypted key material from the keyfile (in borg not accepting passphrase (keyfile blake2) #8035, the user typed that in from a raw printout of the keyfile contents)

So, that is not super helpful to fix whatever needs fixing, passphrase or key.

Maybe we should add another hmac computed over the encrypted key in borg2, so we can detect if there is an error in the keyfile?

Also: if we know the keyfile is correct (after checking that hmac), we could also be sure that the passphrase is wrong if the other hmac doesn't match.

[ThomasWaldmann]

Ehrm, guess we need to use a hash for that, not an hmac.

Because for the hmac, we need a key. The key would be derived from passphrase. And due to that, we run into same problem: we won't know if passphrase is wrong or key is corrupted if the check fails.