Rekey

Rekey is the workflow for changing password or keyphrase protection on supported archives. It is intended for credential rotation, not for changing every archive type or every protection mode.

The key point is that Rekey rebuilds the access layer while keeping payload.enc unchanged. For eligible archives, this is faster than decrypting and re-encrypting the full payload.

Archive Inspection

Users select an existing .avk archive. Avikal inspects public route hints to determine whether the archive can be rekeyed.

This inspection step prevents the UI from presenting rekey as available for archive types that currently require a different workflow.

Supported Scope

Rekey currently targets normal password and keyphrase archives. It does not currently rekey:

• TimeCapsule archives
• PQC-protected archives
• plain archives that do not need secret rotation

For unsupported cases, the app tells users to decrypt the archive and create a new archive instead.

Current Credentials

Users enter the current password and/or current keyphrase required to unlock the archive.

If the archive was protected by both password and keyphrase, the current required secrets must be provided before the access layer can be rotated.

New Credentials

Users choose the new protection shape:

• new password
• new 21-word keyphrase
• password plus keyphrase

The app validates password strength and keyphrase length before allowing rekey. This mirrors the protection requirements used during archive creation.

Payload-Preserving Rotation

Rekey rebuilds the access layer while keeping payload.enc unchanged. The encrypted file payload is not rewritten as part of a supported credential rotation.

This design makes rekey useful for large archives where rewriting the payload would be unnecessary. It also means Rekey is not a general archive conversion tool. Users who need to change unsupported protection modes should decode and create a new archive with the desired settings.