I read What is the point of multiple keys yet still a little bit confused. I will attempt to explain it in my understanding and please correct me if my misunderstood. Thanks in advance.
A restic repo have a unique key which are generated druing init. Then user provided key will be passthough the KDF and use the output to encrypt the unique key. Any subsequent key added via restic key add will run through the same process. All user key are equal and able to encrypt and decrypt the whole repo.
The summary is correct. One possible use case of different keys would be to have an key in each repository that is encrypted with the password of a central management host. Or to create two different keys to have a backup of the masterkey.
Thank you both for the explanation. I’ve just added an administrative key to some employee’s backup repos on the server. It makes administration much easier! For a regular prune or check, the key must be kept on the server anyway. Now it’s one key instead of 5. Also, as administrator, I don’t have to care about the user’s passwords anymore. I can just delete and add a new one, if employees forget their password.