From dd78dc61abbfe070cf3bb51e82df4b0c9438d1b8 Mon Sep 17 00:00:00 2001
From: Julio Lopez <1953782+julio-lopez@users.noreply.github.com>
Date: Tue, 24 Jun 2025 15:53:55 -0700
Subject: [PATCH] fix(general): migrate remnant piece to crypto/hkdf (#4691)

- Followup to #4678
---
 repo/encryption/encryption.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/repo/encryption/encryption.go b/repo/encryption/encryption.go
index 22b361563..91d9f2e4a 100644
--- a/repo/encryption/encryption.go
+++ b/repo/encryption/encryption.go
@@ -2,12 +2,11 @@
 package encryption
 
 import (
+	"crypto/hkdf"
 	"crypto/sha256"
-	"io"
 	"sort"
 
 	"github.com/pkg/errors"
-	"golang.org/x/crypto/hkdf"
 
 	"github.com/kopia/kopia/internal/gather"
 )
@@ -97,9 +96,10 @@ func deriveKey(p Parameters, purpose []byte, length int) ([]byte, error) {
 		return nil, errors.Errorf("derived key must be at least %d bytes, was %v", minDerivedKeyLength, length)
 	}
 
-	key := make([]byte, length)
-	k := hkdf.New(sha256.New, p.GetMasterKey(), purpose, nil)
-	io.ReadFull(k, key) //nolint:errcheck
+	derivedKey, err := hkdf.Key(sha256.New, p.GetMasterKey(), purpose, "", length)
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to derive key")
+	}
 
-	return key, nil
+	return derivedKey, nil
 }