This is freaking fantastic- I only wish it existed when I wrote my last encrypted filesystem a few years back.
Nonce collision is a huge concern on large file system deployments. 2^32 seems huge but when you’re writing 100k iops a second on a PB array the chance of collision is almost guaranteed if you’re betting on PRNG randomness.
Why is nonce collision a problem though? It just means that two blocks share the same encryption key, right? Without knowing the plaintext in either block, how does that weaken the security of the system?
Encryption with the same key and repeated nonce/counter produce the same cipher stream. Ciphertext in GCM (or CTR) mode is cipherstream XOR plaintext, thus given two ciphertexts with the same key/nonce:
Nonce collision is a huge concern on large file system deployments. 2^32 seems huge but when you’re writing 100k iops a second on a PB array the chance of collision is almost guaranteed if you’re betting on PRNG randomness.