# Alpha

> Backups become unreadable to us. The agent encrypts on the host; the control plane keeps nothing it can decrypt.

URL: https://bkpdb.com/changelog/2026-03-25/
Date: 2026-03-25
Tag: alpha

---

## Agent

### Added

- age v1 encryption pipeline (X25519 + ChaCha20-Poly1305). Encrypt, decrypt, and recipient-fingerprint paths, exercised end-to-end against vanilla upstream `age` on the test path.


## Control plane

### Added

- End-to-end encryption to the organisation's public key. Per-organisation X25519 keypair, auto-issued at organisation creation, with a one-time recovery-key download gated behind recent-auth on the security tab. A backfill command exists for organisations created before the keypair work landed.
- Per-backup fingerprint pinned at upload time. A backup's file key is unwrapped on demand with a ranged `GET` against the age header, so only the few bytes needed reach the control plane.
- Keypair rotation as a one-button operation on the organisation security tab. The rotation re-wraps each backup's age header (the file body is untouched), records progress in a `KeypairRotationJob`, and handles backups that arrive mid-rotation.
- Settings shell with tabs (Organisation / People / Security) for admins, mirroring the operator profile (Identity / Security / Preferences / Activity). Timezone middleware and a `user_dt` filter route every timestamp through the operator's preferences.
- Organisation invitations, with SHA-256-hashed tokens and an accept flow.

### Removed

- An earlier in-database cache of unwrapped DEKs. Rotation operates on the age header directly; nothing decrypted lives at rest in the metadata DB.