Changelog
v0.5.1
Released 25 March 2026.
Backups become unreadable to us. The agent encrypts on the host; the control plane keeps nothing it can decrypt.
Agent
Added
- Addedage v1 encryption pipeline (X25519 + ChaCha20-Poly1305). Encrypt, decrypt, and recipient-fingerprint paths, exercised end-to-end against vanilla upstream
ageon the test path.
Control plane
Added
- AddedEnd-to-end encryption to the organisation's public key. Per-organisation X25519 keypair, auto-issued at organisation creation, with a one-time recovery-key download gated behind recent-auth on the security tab. A backfill command exists for organisations created before the keypair work landed.
- AddedPer-backup fingerprint pinned at upload time. A backup's file key is unwrapped on demand with a ranged
GETagainst the age header, so only the few bytes needed reach the control plane. - AddedKeypair rotation as a one-button operation on the organisation security tab. The rotation re-wraps each backup's age header (the file body is untouched), records progress in a
KeypairRotationJob, and handles backups that arrive mid-rotation. - AddedSettings shell with tabs (Organisation / People / Security) for admins, mirroring the operator profile (Identity / Security / Preferences / Activity). Timezone middleware and a
user_dtfilter route every timestamp through the operator's preferences. - AddedOrganisation invitations, with SHA-256-hashed tokens and an accept flow.
Removed
- RemovedAn earlier in-database cache of unwrapped DEKs. Rotation operates on the age header directly; nothing decrypted lives at rest in the metadata DB.