Do backups get pruned over time? Is there an expiration? I don't think folks want old lost-key backups sitting around forever for quantum to catch up, right?
"On the other hand, symmetric algorithms such as AES are believed to be immune to Shor. In most cases, the best-known quantum key recovery attack uses
Grover’s algorithm which provides a generic square-root speed-up over classical
exhaustion in terms of the number of queries to the symmetric algorithm. In other
words, Grover would recover the 256-bit key for AES-256 with around 2^128 quantum
queries to AES compared to around 2^256 classical queries for exhaustion.
"