@robryk @filippo @juliank it's not a terrible idea assuming old backups aren't disclosed and assuming no threat actor can maintain silent access. But otherwise that fails to increase the work required for an attack.

The best solution is to signal to the client that rekeying is necessary.