I was evaluating suitable encryption plan for online storage.
Goals:
allows the server side to validate the file for bit rot without a decryption key
AEAD
An option is rclone, which uses XSalsa20-Poly1305. rclone is a powerful tool, but when comes to encryption specifically, there are some flaws:
No truncation protection, it is possible to remove blocks from the end of a file without being noticed. However, it is immune from some other attacks like swapping the order of blocks in a file or swapping blocks between files thanks for the sequential nonce. This isn't a huge problem for me, as the first goal requires storing the hash for encrypted file.
rclone is a complicated program. It is good if the features are used. But it also means more chances for things get messed up. There's even an option no_data_encryption not to encrypt the file content at all. There are also some crypt related bugs, mainly when used in conjunction with other remotes.
rclone is a bit heavy, the design usually require you to use a config file. Which made it more complicated to use it with a script. Though I found the way for using it to encrypt without one:
echo "Your text to encrypt" | ./rclone rcat :crypt:a.txt --config=/dev/null --crypt-remote=. --crypt-filename-encryption=off --crypt-directory-name-encryption=false --crypt-password=`rclone obscure test`
./rclone cat --crypt-remote=. --crypt-filename-encryption=off --crypt-directory-name-encryption=false --crypt-password=`./rclone obscure test` :crypt:a.txt --config=/dev/null
Alternative: I wrote a simple wrapper program for OpenSSL, aesgcm. The regular AES-GCM limits apply, such as 64GB file limit. I didn't split the file into blocks, which saves tiny space, allows direct validation for the whole input. It introduces slightly higher forgery risk. AES is much faster than XSalsa20 on my machines due to AES instruction, but both are faster than disk I/O.
From security perspective, both are very good. There are some criticism on AES-GCM. AES lived longer and received better review, but some design was a bit restricted such as the 128-bit block. The shorter nonce makes it more vulnerable to Birthday Paradox when using random ones.
Finally I choose my own tool. I am keeping an eye on rclone, as there are ongoing discussion and may result in better options. In the future there also might be more reasons to choose XSalsa20 over AES.