"restic forget" with ciphertext validation issue

I am getting the “ciphertext verification failed” error. After reading up & troubleshooting, I found that I have two keys in the restic repo for some reason. I tried removing each key & testing commands with only the other. One key fails entirely:

bash-5.0# ls keys/
bash-5.0# restic -r . snapshots
Fatal: config cannot be loaded: ciphertext verification failed

One key mostly works, but fails with some snapshots:

bash-5.0# ls keys/
bash-5.0# restic -r . snapshots
repository 85820f75 opened successfully, password is correct
could not load snapshot 002b41b5: ciphertext verification failed
... 90 lines
could not load snapshot ff6e8732: ciphertext verification failed
ID        Time                 Host                           Tags                      Paths
0eb895fa  2023-06-07 23:20:46  host-etc-etc  222c8478-9fdc-4412-b3df-38f5815ee1d8  /some/dir
... ~110 lines
57f5b54c  2023-07-04 09:55:50  host-etc-etc  a3d68bc2-0b8f-4eaa-923d-3064faecc0a6  /some/dir
120 snapshots

There’s no overlap between the “ciphertext verification failed” list and the successful snapshots list.

My codebase calls the above method with the --json flag & parses it. That’s failing, since it’s prefaced with the “could not load snapshot fc6124b5: ciphertext verification failed” errors. I tried running restic forget for all of the ciphertext issue snapshots, but that outputs: “Ignoring “[hash]”, could not load snapshot: ciphertext verification failed”

Can I safely delete those snapshots? Changing to the other key doesn’t let me delete them. I’d like to simply delete the directories for these snapshots, but I’m not sure that’s safe.

That looks a lot like you merged the files of two different repositories. Removing the problematic snapshots (their filename starts with their id) manually is safe.

Please run restic check afterwards to get an idea of the state the repository is currently in. Its probably fine (except for some garbage data), but who knows.

The errors are printed on stderr. The output on stdout should still only contain JSON.