It is possible to load/use the same Recovery Key on multiple devices

[crwood]

From #448:

Currently, Gridsync operates under the assumption that Recovery Keys will not to be shared between multiple devices -- in other words, that a given Recovery Key will be loaded/used only in situations in which the original device (i.e., the one on which the Recovery Key was created) has been lost or is otherwise inaccessible to the user. Nevertheless, it remains possible for the original device to be restored -- or for the same Recovery Key to be loaded on multiple devices -- such that multiple separate devices could end up writing to the same remote location. Given Tahoe-LAFS's known limitations with uncoordinated writes, this could lead to errors or data-loss.

In addition to merely warning users about the risks of using the same Recovery Key across multiple/separate devices, Gridsync should implement additional measures to prevent the the same Recovery Key (and/or the underlying collection of writecaps that comprise it) from being written to by multiple parties. This might involve a strongly-enforced Recovery Key rotation scheme (in which users might be prompted to create a new Recovery Key -- and/or unlink or otherwise destroy the contents of the old one -- upon completing the recovery process).

[meejah]

So, the magic-folder recovery process involves creating a "new" magic-folder (partially for this reason). I'm not sure the full recovery process on Gridsync, but it could follow a similar pattern and force creation of a new recovery key when "recovering" (maybe it already does).

You could at that point write some metadata / "marker" file into the top-level writecap to indicate that it got successfully "recovered" somewhere. However, if the new device had its own recovery key, is there any remaining risk of having two devices with the same writecaps? (When thinking about magic-folder's recovery, I assume that someone will find the old device, turn it and run magic-folder again).